I am trying to create a user delegation sas for a storage account blob in Azure and found this document.
https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas
Looking through the document, I found that the user delegation SAS grants access to Azure Blob Storage resources by using Microsoft Entra credentials, we need to create "User Delegation Key" to be used to sign a user delegation SAS (shared access signature).
It also mentions that we can specify the user delegation key to be valid up to seven days and create SAS token over the lifetime of the key.
I need the SAS token to be longer. The sas token needs to be static and will be securely shared to an external client for at least one month.
The alternative would be to create service SAS.
https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas
As Microsoft recommends using Microsoft Entra ID with managed identities, could you please let me know if there are any other method that I can use Microsoft Entra ID with managed identities to create SAS token for at least one month?
Could you please let me know if there are any other methods that I can use Microsoft Entra ID with managed identities to create a SAS token for at least one month?
You can use the below Python code or a REST API request to create a Service SAS
token with managed identity.
Code:
from azure.identity import DefaultAzureCredential
from azure.mgmt.storage import StorageManagementClient
from datetime import datetime, timedelta
def main():
client_id="xxxx"
client = StorageManagementClient(credential=DefaultAzureCredential(managed_identity_client_id=client_id),
subscription_id="xxx",
)
start_time = datetime.utcnow()
expiry_time = start_time + timedelta(days=30)
response = client.storage_accounts.list_service_sas(
resource_group_name="<Your-resource-group-name>",
account_name="<storage-account-name>",
parameters={
"canonicalizedResource": "/blob/<STORAGE ACCOUNT NAME>/<CONTAINER NAME>",
"signedExpiry": expiry_time.strftime('%Y-%m-%dT%H:%M:%SZ'),
"signedPermission": "rcwl",
"signedProtocol":"https",
"signedResource": "c",
},
)
print(response)
if __name__ == "__main__":
main()
Output:
{'additional_properties': {}, 'service_sas_token': 'sv=2015-04-05&sr=c&spr=https&se=2024-07-05T08%3A29%3A19.0000000Z&sp=rcwl&sig=P%2Bhz6xxxxxx%3D'}
The above code will generate a Service SAS
token for one month.
Reference: