Home > Software design >  How to generate SAS token in azure JS SDK, from app client, without using account key
How to generate SAS token in azure JS SDK, from app client, without using account key

Time:03-26

How to pre-sign Url in azure using javascript SDK with App registrations - Application (client) ID, client secret (value), Tenant_id and also account name, container name, blob name. I am not able to generate Container Level SAS token for giving temporary access to my files.

    const account = "accountName";
    const containerName = "containerName";
    const blobName = "blob";

    const credential = new ClientSecretCredential(
        "AZURE_TENANT_ID",
        "AZURE_CLIENT_ID",
        "AZURE_CLIENT_SECRET"
    );

    const blobServiceClient = new BlobServiceClient(
        `https://${account}.blob.core.windows.net`,
        credential
        );
    
    const containerClient = blobServiceClient.getContainerClient(containerName);
    let blobs = containerClient.listBlobsFlat({includeMetadata: true}); // works ok 


    await credential.getToken(); // how to generate sas token for my container to sign url ? 

I do not want to use the account key, and it seems generateBlobSASQueryParameters function works with account key.

CodePudding user response:

A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet

The link has a .NET sample, but you could translate to javascript.

There are also some test cases here demonstrating the usage: get a user delegation key from BlobServiceClient, then pass the user delegation key to generateBlobSASQueryParameters()

CodePudding user response:

I have succeeded with the following steps.

Have to add Storage Blob Delegator and Storage Blob Data Reader roles to my application client from storage container IAM, and add the following code to upper one.

const userDelegationKey = await blobServiceClient.getUserDelegationKey(new Date(), new Date(new Date().valueOf()   86400));
const containerSAS = generateBlobSASQueryParameters({
    containerName,
    permissions: ContainerSASPermissions.parse("r"),
    startsOn: new Date(),
    expiresOn: new Date(new Date().valueOf()   86400),
    version: "2018-11-09"
 },
 userDelegationKey,
 account
).toString();
console.log(`${containerClient.getBlockBlobClient(blobName).url}?${containerSAS}`);
  • Related