Support for GetSASURL for signing BLOB URLs using User Delegation Credentials #22719
Labels
customer-reported
Issues that are reported by GitHub users external to the Azure organization.
feature-request
This issue requires a new behavior in the product in order be resolved.
needs-team-attention
This issue needs attention from Azure service team or SDK team
question
The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Storage
Storage Service (Queues, Blobs, Files)
Feature Request
Today the
GetSASURL
does only support signing Blob URLs when the client was instantiated by using shared account keys, while its still allowable to generate SAS URLs with user delegation credentials - indeed the usage of user delegation credentials are promoted as most secured option - using theSignWithUserDelegation.SignWithUserDelegation
API interface theGetSASURL
does not allow any usage of it.This prevents users to have an orthogonal API which works seamless with one or another authentication method, where ideally the
GetSASURL
could be agnostic to how the client was instantiated, and supporting both ways for generating SAS URLs.Side effects of using user delegation credentials for getting SAS URLs
From my understanding, one of the down side-effects of using SAS URLs is that every call to
GetSASURL
would need to make an HTTP call for getting a new delegation key. Which could impact in the latency for generating a new SAS URL since a new HTTP call would need to be made, and also it would impact the costs for the since all calls for getting a user delegation key would get billed.If this was or its a concern for not having
GetSASURL
supporting also user delegation credentials, this could be - unless Im missing something - addressed by reusing the same delegation key more than once, having it refreshed behind the scenes by the SDK with a key expiration that should be at least longer than the max expiry time of the SAS URLs.This could be a feature that the user could opt in in case the user would want to address the two concerns expressed, otherwise the default behaviour could be still the usage of 1 single delegation key per each call to the
GetSASURL
method.If you believe that this is something that you would up to add in the SDK I would be more than happy to work on a PR.
The text was updated successfully, but these errors were encountered: