/// <summary>
/// The <see cref="GetUserDelegationKey"/> operation retrieves a
/// key that can be used to delegate Active Directory authorization to
/// shared access signatures created with <see cref="Sas.DataLakeSasBuilder"/>.
/// </summary>
/// <param name="startsOn">
/// Start time for the key's validity, with null indicating an
/// immediate start. The time should be specified in UTC.
/// </param>
/// <param name="expiresOn">
/// Expiration of the key's validity. The time should be specified
/// in UTC.
/// </param>
/// <param name="cancellationToken">
/// Optional <see cref="CancellationToken"/> to propagate
/// notifications that the operation should be cancelled.
/// </param>
/// <returns>
/// A <see cref="Response{UserDelegationKey}"/> describing
/// the use delegation key.
/// </returns>
/// <remarks>
/// A <see cref="RequestFailedException"/> will be thrown if
/// a failure occurs.
/// </remarks>
public virtual Response <UserDelegationKey> GetUserDelegationKey(
DateTimeOffset?startsOn,
DateTimeOffset expiresOn,
CancellationToken cancellationToken = default)
{
DiagnosticScope scope = ClientDiagnostics.CreateScope($"{nameof(DataLakeServiceClient)}.{nameof(GetUserDelegationKey)}");
try
{
scope.Start();
Response <Blobs.Models.UserDelegationKey> response = _blobServiceClient.GetUserDelegationKey(
startsOn,
expiresOn,
cancellationToken);
return(Response.FromValue(
new UserDelegationKey(response.Value),
response.GetRawResponse()));
}
catch (Exception ex)
{
scope.Failed(ex);
throw;
}
finally
{
scope.Dispose();
}
}
/// <summary>
/// Get SAS string
/// </summary>
public static string GetBlobSharedAccessSignature(AzureStorageContext context, BlobSasBuilder sasBuilder, bool generateUserDelegationSas, BlobClientOptions ClientOptions, CancellationToken cancelToken)
{
if (context != null && context.StorageAccount.Credentials.IsSharedKey)
{
return(sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential(context.StorageAccountName, context.StorageAccount.Credentials.ExportBase64EncodedKey())).ToString());
}
if (generateUserDelegationSas)
{
global::Azure.Storage.Blobs.Models.UserDelegationKey userDelegationKey = null;
BlobServiceClient oauthService = new BlobServiceClient(context.StorageAccount.BlobEndpoint, context.Track2OauthToken, ClientOptions);
Util.ValidateUserDelegationKeyStartEndTime(sasBuilder.StartsOn, sasBuilder.ExpiresOn);
userDelegationKey = oauthService.GetUserDelegationKey(
startsOn: sasBuilder.StartsOn == DateTimeOffset.MinValue || sasBuilder.StartsOn == null ? DateTimeOffset.UtcNow : sasBuilder.StartsOn.ToUniversalTime(),
expiresOn: sasBuilder.ExpiresOn.ToUniversalTime(),
cancellationToken: cancelToken);
return(sasBuilder.ToSasQueryParameters(userDelegationKey, context.StorageAccountName).ToString());
}
else
{
throw new InvalidOperationException("Create SAS only supported with SharedKey or Oauth credentail.");
}
}
private string GetContainerSASWithServicePrincipal(BlobServiceClient service,
string storageAccount, string storageContainer, string blobName)
{
DateTimeOffset expiresOn = DateTimeOffset.UtcNow.AddHours(2);
BlobSasBuilder blobSasBuilder = new BlobSasBuilder
{
BlobContainerName = storageContainer,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(2)
};
blobSasBuilder.SetPermissions(
BlobContainerSasPermissions.Read |
BlobContainerSasPermissions.Create |
BlobContainerSasPermissions.List);
// the principal must have storage account level "Storage Blob Delegator" role to
// be able to get user delegation key
UserDelegationKey delegationKey = service.GetUserDelegationKey(null, expiresOn).Value;
var sasQueryParameters = blobSasBuilder.ToSasQueryParameters(delegationKey, storageAccount);
String uri = String.IsNullOrEmpty(blobName) ?
String.Format("https://{0}.blob.core.windows.net/{1}?restype=container&comp=list&{2}",
storageAccount,
storageContainer,
sasQueryParameters.ToString()) :
String.Format("https://{0}.blob.core.windows.net/{1}/{2}?{3}",
storageAccount,
storageContainer,
blobName,
sasQueryParameters.ToString());
return(uri);
}
private static string GetBlobSasToken(BlobBaseClient blob, AzureStorageContext context)
{
if (null == context.StorageAccount.Credentials ||
(context.StorageAccount.Credentials.IsAnonymous && !context.StorageAccount.Credentials.IsToken))
{
return(string.Empty);
}
else if (context.StorageAccount.Credentials.IsSAS)
{
return(context.StorageAccount.Credentials.SASToken);
}
// SAS life time is at least 10 minutes.
TimeSpan sasLifeTime = TimeSpan.FromMinutes(CopySASLifeTimeInMinutes);
if (context.StorageAccount.Credentials.IsToken)
{
sasLifeTime = TimeSpan.FromMinutes(CopySASLifeTimeInMinutesOauth);
}
BlobSasBuilder sasBuilder = new BlobSasBuilder
{
BlobContainerName = blob.BlobContainerName,
BlobName = blob.Name,
ExpiresOn = DateTimeOffset.UtcNow.Add(sasLifeTime),
};
if (Util.GetVersionIdFromBlobUri(blob.Uri) != null)
{
sasBuilder.BlobVersionId = Util.GetVersionIdFromBlobUri(blob.Uri);
}
sasBuilder.SetPermissions("rt");
string sasToken = null;
if (context != null && context.StorageAccount.Credentials.IsToken) //oauth
{
global::Azure.Storage.Blobs.Models.UserDelegationKey userDelegationKey = null;
BlobServiceClient oauthService = new BlobServiceClient(context.StorageAccount.BlobEndpoint, context.Track2OauthToken, null);
Util.ValidateUserDelegationKeyStartEndTime(sasBuilder.StartsOn, sasBuilder.ExpiresOn);
userDelegationKey = oauthService.GetUserDelegationKey(
startsOn: sasBuilder.StartsOn == DateTimeOffset.MinValue || sasBuilder.StartsOn == null? DateTimeOffset.UtcNow : sasBuilder.StartsOn.ToUniversalTime(),
expiresOn: sasBuilder.ExpiresOn.ToUniversalTime());
sasToken = sasBuilder.ToSasQueryParameters(userDelegationKey, context.StorageAccountName).ToString();
}
else // sharedkey
{
sasToken = sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential(context.StorageAccountName, context.StorageAccount.Credentials.ExportBase64EncodedKey())).ToString();
}
if (sasToken[0] != '?')
{
sasToken = "?" + sasToken;
}
return(sasToken);
}
public virtual Response <UserDelegationKey> GetUserDelegationKey(
DateTimeOffset?start,
DateTimeOffset expiry,
CancellationToken cancellationToken = default)
{
Response <Blobs.Models.UserDelegationKey> response = _blobServiceClient.GetUserDelegationKey(
start,
expiry,
cancellationToken);
return(Response.FromValue(
new UserDelegationKey(response.Value),
response.GetRawResponse()));
}
public static string CreateSASToken(string BlobStorageAccountName, string BlobStorageContainerName, string BlobStorageFolderPath, string DataFileName, int accessDuration)
{
// Get a credential and create a client object for the blob container. Note using new Azure Core credential flow
BlobServiceClient blobClient = new BlobServiceClient(new Uri(BlobStorageAccountName),
new DefaultAzureCredential());
//blobClient.GetProperties();
var startDate = DateTimeOffset.UtcNow.AddMinutes(-1);
var endDate = DateTimeOffset.UtcNow.AddDays(accessDuration);
// Get a user delegation key for the Blob service that's valid for seven days.
// You can use the key to generate any number of shared access signatures over the lifetime of the key.
UserDelegationKey key = blobClient.GetUserDelegationKey(startDate, endDate);
Uri BlobUri = new Uri(BlobStorageAccountName);
BlobContainerClient containerClient = new BlobContainerClient(BlobUri, new DefaultAzureCredential());
// Create a SAS token
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
BlobContainerName = BlobStorageContainerName,
BlobName = String.Format("{0}{1}", BlobStorageFolderPath, DataFileName),
Resource = "b",
StartsOn = startDate,
ExpiresOn = endDate,
Protocol = SasProtocol.Https
};
// Specify read permissions for the SAS.
BlobSasPermissions perms = BlobSasPermissions.Create | BlobSasPermissions.Write;
sasBuilder.SetPermissions(perms);
// Use the key to get the SAS token.
string sasToken = sasBuilder.ToSasQueryParameters(key, BlobUri.Host.Split('.')[0]).ToString();
// Construct the full URI, including the SAS token.
UriBuilder fullUri = new UriBuilder()
{
Scheme = "https",
Host = string.Format("{0}.blob.core.windows.net", BlobUri.Host.Split('.')[0]),
Path = string.Format("{0}/{1}{2}", BlobStorageContainerName, BlobStorageFolderPath, DataFileName),
Query = sasToken
};
string retvar = "&Path=" + Uri.EscapeDataString(fullUri.Path.ToString());
retvar += "&" + sasToken;
return(retvar);
}
private static string GenerateSASToken()
{
var storageUrl = Environment.GetEnvironmentVariable("STORAGE_ACCOUNT_URL");
var blobUrl = Environment.GetEnvironmentVariable("BLOB_URL");
var identity = CreateManagedIdentityCredential();
var blobClient = new BlobClient(new Uri(blobUrl), identity);
var blobSasBuilder = new Azure.Storage.Sas.BlobSasBuilder();
blobSasBuilder.BlobContainerName = blobClient.BlobContainerName;
blobSasBuilder.BlobName = blobClient.Name;
blobSasBuilder.SetPermissions(Azure.Storage.Sas.BlobSasPermissions.All);
blobSasBuilder.ExpiresOn = new DateTimeOffset(DateTime.Now.AddDays(1));
var blobServiceClient = new BlobServiceClient(new Uri(storageUrl), identity);
var userDelegationKey = blobServiceClient.GetUserDelegationKey(new DateTimeOffset(DateTime.Now), new DateTimeOffset(DateTime.Now.AddDays(2)));
var parameters = blobSasBuilder.ToSasQueryParameters(userDelegationKey, blobClient.AccountName);
return(parameters.ToString());
}
static void Main(string[] args)
{
string storageAccount = "az204testing";
DateTimeOffset startTimeKey = DateTimeOffset.UtcNow;
DateTimeOffset endTimeKey = DateTimeOffset.UtcNow.AddDays(7);
DateTimeOffset startTimeSAS = startTimeKey;
DateTimeOffset endTimeSAS = startTimeSAS.AddDays(1);
Uri blobEndpointUri = new Uri($"https://{storageAccount}.blob.core.windows.net");
var defaultCredentials = new DefaultAzureCredential(true);
BlobServiceClient blobClient = new BlobServiceClient(blobEndpointUri,
defaultCredentials);
//Get the key. We are going to use this key for creating the SAS
UserDelegationKey key = blobClient.GetUserDelegationKey(startTimeKey,
endTimeKey);
System.Console.WriteLine($"User Key Starts on: {key.SignedStartsOn}");
System.Console.WriteLine($"User Key Expires on: {key.SignedExpiresOn}");
System.Console.WriteLine($"User Key Service: {key.SignedService}");
System.Console.WriteLine($"User Key Version: {key.SignedVersion}");
//We need to use the BlobSasBuilder for creating the SAS
BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
StartsOn = startTimeSAS,
ExpiresOn = endTimeSAS
};
//We set the permissions Create, List, Add, Read, and Write
blobSasBuilder.SetPermissions("clarw");
string sasToken = blobSasBuilder.ToSasQueryParameters
(key, storageAccount).ToString();
System.Console.WriteLine($"SAS Token: {sasToken}");
}
private async Task <UserDelegationKey> GetUserDelegationKey(DateTimeOffset?expiration = null)
{
// refresh user-delegation key as necessary, valid for up to a maximum of 7 days
if (__userDelegationKey == null || (expiration != null && __userDelegationKey.SignedExpiresOn <= expiration))
{
lock (UserDelegationLock)
{
// additional check is neccessary to ensure that token hasnt been refreshed while thread was waiting for lock to be released
if (__userDelegationKey == null || (expiration != null && __userDelegationKey.SignedExpiresOn <= expiration))
{
var response = _client.GetUserDelegationKey(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(UserDelegationKeyLifetimeInDays));
if (response == null)
{
throw new ArgumentNullException($"User account delegation key generation failed for storage account: {_client.AccountName}");
}
__userDelegationKey = response.Value;
}
}
}
return(__userDelegationKey);
}
static void MainUse(string[] args)
{
string storageAccount = "az204testing";
string containerName = "az204-blob-testing";
string blobName = System.IO.Path.GetRandomFileName();
DateTimeOffset startTimeKey = DateTimeOffset.UtcNow;
DateTimeOffset endTimeKey = DateTimeOffset.UtcNow.AddDays(7);
DateTimeOffset startTimeSAS = startTimeKey;
DateTimeOffset endTimeSAS = startTimeSAS.AddYears(1);
Uri blobEndpointUri = new Uri($"https://{storageAccount}.blob.core.windows.net");
var defaultCredentials = new DefaultAzureCredential(true);
BlobServiceClient blobClient = new BlobServiceClient(blobEndpointUri,
defaultCredentials);
//Get the key. We are going to use this key for creating the SAS
UserDelegationKey key = blobClient.GetUserDelegationKey(startTimeKey,
endTimeKey);
Console.WriteLine($"User Key Starts on: {key.SignedStartsOn}");
Console.WriteLine($"User Key Expires on: {key.SignedExpiresOn}");
Console.WriteLine($"User Key Service: {key.SignedService}");
Console.WriteLine($"User Key Version: {key.SignedVersion}");
//We need to use the BlobSasBuilder for creating the SAS
BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
BlobName = blobName,
Resource = "b",
StartsOn = startTimeSAS,
ExpiresOn = endTimeSAS,
Protocol = Azure.Storage.Sas.SasProtocol.Https
};
//We set the permissions Create, List, Add, Read, and Write
blobSasBuilder.SetPermissions(BlobSasPermissions.All);
string sasToken = blobSasBuilder.ToSasQueryParameters
(key, storageAccount).ToString();
Console.WriteLine($"SAS Token: {sasToken}");
//We construct the full URI for accessing the Azure Storage Account
UriBuilder blobUri = new UriBuilder()
{
Scheme = "https",
Host = $"{storageAccount}.blob.core.windows.net",
Path = $"{containerName}/{blobName}",
Query = sasToken
};
//We create a random text file
using (System.IO.StreamWriter sw = System.IO.File.CreateText(blobName))
{
sw.Write("This is a testing blob for uploading using user delegated SAS tokens");
}
BlobClient testingBlob = new BlobClient(blobUri.Uri);
testingBlob.Upload(blobName);
//Now we download the blob again and print the content.
Console.WriteLine($"Reading content from testing blob {blobName}");
Console.WriteLine();
BlobDownloadInfo downloadInfo = testingBlob.Download();
using (StreamReader sr = new StreamReader(downloadInfo.Content, true))
{
string line;
while ((line = sr.ReadLine()) != null)
{
Console.WriteLine(line);
}
}
Console.WriteLine();
Console.WriteLine("Finished reading content from testing blob");
}
