azure-sdk-for-go icon indicating copy to clipboard operation
azure-sdk-for-go copied to clipboard

Published 20 hours ago verified publisher icon Azure

azblob - implement UserDelegationCredential

Open alexg-axis opened this issue 3 years ago • 6 comments

Feature Request

This feature request is for the "new" azblob package.

Background

In order to create a SAS token, one uses the azblob.BlobSASSignatureValues.NewSASQueryParameters function:

https://github.com/Azure/azure-sdk-for-go/blob/8c965f7cbb93f9fdf1fec8df5416f193e0bd465e/sdk/storage/azblob/zc_sas_service.go#L33-L36

It specifies that it is compatible with UserDelegationCredential. This seems to be left from before the SDK was imported. There seems to be no UserDelegationCredential anywhere in this repository, in fact.

Request

It's quite the hassle to fetch a user delegation key and then manually create the final SAS token.

I request a feature to easily create a UserDelegationCredential for use with NewSASQueryParameters so that a delegated SAS token can be created using the SDK.

alexg-axis avatar Jan 25 '22 14:01 alexg-axis

Hey @alexg-axis,

Thanks for reaching out! We're planning to add that feature in march release most likely!

mohsha-msft avatar Jan 27 '22 16:01 mohsha-msft

@mohsha-msft Is it still planned for release in March?

alexg-axis avatar Mar 17 '22 10:03 alexg-axis

Hey @alexg-axis , Yes I am planning to add it in the next release. Timeline for next release has been shifted due to some important changes we need to make.

mohsha-msft avatar Mar 17 '22 12:03 mohsha-msft

I also need this functionality. We are trying to obey the "principle of least privilege" here, but not being able to (easily) work with service principals makes this really difficult. Having to use a very privileged access key to create signed URLs seems totally backward.

mt35-rs avatar Mar 22 '22 19:03 mt35-rs

I implemented a version of user delegation sas for the azure velero plugin here: https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/pull/111/files#diff-1d780eb4040da13fa413bf2491ee1595a92a19977f6aeb27e66cb8a668377042 Pull request: https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/pull/111

It would be nice if the SDK would provide this functionality directly!

yvespp avatar May 04 '22 16:05 yvespp

Hi. Is there any update on this? Is there a way where I can generate SAS token without SharedKeyCredential as this requires the use of storage account key. I want to use manage identity with NewDefaultAzureCredential and this can be achieved only via UserDelegationCredential

abdullah-lt avatar Jul 19 '22 19:07 abdullah-lt

@mohsha-msft Hi! Is there any timeline on when this will be fixed?

alexg-axis avatar Sep 08 '22 15:09 alexg-axis

Update: this feature is being actively worked on here -> https://github.com/Azure/azure-sdk-for-go/pull/19141

zezha-msft avatar Sep 20 '22 18:09 zezha-msft

Hi @alexg-axis ! We have released the User Delegation feature (https://github.com/Azure/azure-sdk-for-go/releases/tag/sdk%2Fstorage%2Fazblob%2Fv0.5.0) today. Please give it a try and let us know if you have any questions!

Examples can be found here: https://github.com/Azure/azure-sdk-for-go/blob/7a3989f70fa6c2d4376d0c72c01b5afc32b527f7/sdk/storage/azblob/service/examples_test.go#L286

siminsavani-msft avatar Sep 29 '22 21:09 siminsavani-msft