Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azblob - implement UserDelegationCredential #16916

Closed
alexg-axis opened this issue Jan 25, 2022 · 9 comments
Closed

azblob - implement UserDelegationCredential #16916

alexg-axis opened this issue Jan 25, 2022 · 9 comments
Assignees
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved. needs-team-attention This issue needs attention from Azure service team or SDK team Service This issue points to a problem in the service. Storage Storage Service (Queues, Blobs, Files)

Comments

@alexg-axis
Copy link

Feature Request

This feature request is for the "new" azblob package.

Background

In order to create a SAS token, one uses the azblob.BlobSASSignatureValues.NewSASQueryParameters function:

// NewSASQueryParameters uses an account's StorageAccountCredential to sign this signature values to produce
// the proper SAS query parameters.
// See: StorageAccountCredential. Compatible with both UserDelegationCredential and SharedKeyCredential
func (v BlobSASSignatureValues) NewSASQueryParameters(sharedKeyCredential *SharedKeyCredential) (SASQueryParameters, error) {

It specifies that it is compatible with UserDelegationCredential. This seems to be left from before the SDK was imported. There seems to be no UserDelegationCredential anywhere in this repository, in fact.

Request

It's quite the hassle to fetch a user delegation key and then manually create the final SAS token.

I request a feature to easily create a UserDelegationCredential for use with NewSASQueryParameters so that a delegated SAS token can be created using the SDK.

@msftbot msftbot bot added needs-triage This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 25, 2022
@jhendrixMSFT jhendrixMSFT added the Storage Storage Service (Queues, Blobs, Files) label Jan 25, 2022
@msftbot msftbot bot removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jan 25, 2022
@mohsha-msft
Copy link
Contributor

Hey @alexg-axis,

Thanks for reaching out!
We're planning to add that feature in march release most likely!

@amishra-dev amishra-dev added feature-request This issue requires a new behavior in the product in order be resolved. and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 27, 2022
@msftbot msftbot bot added the needs-team-attention This issue needs attention from Azure service team or SDK team label Jan 27, 2022
@alexg-axis
Copy link
Author

@mohsha-msft Is it still planned for release in March?

@mohsha-msft
Copy link
Contributor

Hey @alexg-axis , Yes I am planning to add it in the next release. Timeline for next release has been shifted due to some important changes we need to make.

@mt35-rs
Copy link

mt35-rs commented Mar 22, 2022

I also need this functionality. We are trying to obey the "principle of least privilege" here, but not being able to (easily) work with service principals makes this really difficult. Having to use a very privileged access key to create signed URLs seems totally backward.

@yvespp
Copy link

yvespp commented May 4, 2022

I implemented a version of user delegation sas for the azure velero plugin here: https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/pull/111/files#diff-1d780eb4040da13fa413bf2491ee1595a92a19977f6aeb27e66cb8a668377042
Pull request: vmware-tanzu/velero-plugin-for-microsoft-azure#111

It would be nice if the SDK would provide this functionality directly!

@RickWinter RickWinter added the Service This issue points to a problem in the service. label Jun 27, 2022
@abdullah-lt
Copy link

abdullah-lt commented Jul 19, 2022

Hi. Is there any update on this?
Is there a way where I can generate SAS token without SharedKeyCredential as this requires the use of storage account key. I want to use manage identity with NewDefaultAzureCredential and this can be achieved only via UserDelegationCredential

@alexg-axis
Copy link
Author

@mohsha-msft Hi! Is there any timeline on when this will be fixed?

@zezha-msft
Copy link

Update: this feature is being actively worked on here -> #19141

@siminsavani-msft
Copy link
Member

Hi @alexg-axis ! We have released the User Delegation feature (https://github.com/Azure/azure-sdk-for-go/releases/tag/sdk%2Fstorage%2Fazblob%2Fv0.5.0) today. Please give it a try and let us know if you have any questions!

Examples can be found here:

func Example_service_Client_NewClientWithUserDelegationCredential() {

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved. needs-team-attention This issue needs attention from Azure service team or SDK team Service This issue points to a problem in the service. Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Development

No branches or pull requests

10 participants