Is it possible to create a SAS token for a directory in DataLake Gen2 storage?

Question

I have an Azure Function that triggers from a directory (namespace) nested within an ADLS Gen 2 storage container.

Example: ADLS_AccountName/topLevelContainer/Directory1/Directory2/{name}

Unfortunately, the Function requires the Connection string of the entire DataLake as an input binding (stored as an app setting in local.settings.json).

This is far too much permission for a Function to have.

How do I generate a SAS token for a given nested namespace and use that as the app setting for the Function?

Answer 1

The answer marked as correct is no longer accurate. Please look at https://docs.microsoft.com/en-us/dotnet/api/azure.storage.sas.datalakesasbuilder?view=azure-dotnet Starting service version 2020-02-10 it is possible to generate SAS token for a directory in an ADLS Gen2 account.

Answer 2

Unfortunately it is not possible to create SAS token for a specific folder in ADLS Gen2 storage account. But you can leverage Access Control List to grant permission to a specific file or directory.

You can associate a security principal with an access level to your directories and files from your application. (Note: ACLs apply only to security principals in the same tenant)

If you are granting permissions by using only ACLs (no RBAC), then to grant a security principal read or write access to a folder, you'll need to give the security principal Execute permissions to the container, and to each folder in the hierarchy of folders that lead to the desired folder/file.

Here is an example gets and sets the ACL of a directory named my-directory. The string user::rwx,group::r-x,other::rw- gives the owning user read, write, and execute permissions, gives the owning group only read and execute permissions, and gives all others read and write permission.

public async Task ManageDirectoryACLs(DataLakeFileSystemClient fileSystemClient)
{
    DataLakeDirectoryClient directoryClient =
        fileSystemClient.GetDirectoryClient("my-directory");

    PathAccessControl directoryAccessControl =
        await directoryClient.GetAccessControlAsync();

    foreach (var item in directoryAccessControl.AccessControlList)
    {
        Console.WriteLine(item.ToString());
    }


    IList<PathAccessControlItem> accessControlList
        = PathAccessControlExtensions.ParseAccessControlList
        ("user::rwx,group::r-x,other::rw-");

    directoryClient.SetAccessControlList(accessControlList);

}

For more details, you could refer to this article.

Answer 3

Directory scoped SAS tokens are supported since authentication version 2020-02-10, see Directory scoped shared access signatures (SAS) generally available.

The Python package azure-storage-file-datalake provides the function generate_directory_sas.

For TypeScript/JavaScript check the package @azure/storage-file-datalake and its function generateDataLakeSASQueryParameters with setting { isDirectory: true } of DataLakeSASSignatureValues.

generateDataLakeSASQueryParameters(
  {
    pathName: 'my/folder',
    permissions: DirectorySASPermissions.parse('r'),
    isDirectory: true,
    ...,
    version: '2020-02-10'
  }, ...);