Azure SAS Token for Webjob DashboardConnectionString and StorageConnectionString

1
votes

Azure web jobs want me to set AzureWebJobsDashboard and AzureWebJobsStorage properties on startup but, i do not want to expose AccountKey in code. When I try to use SAS Token, JobHostConfiguration class trying to parse SAS Token and throws exception

 var config = new JobHostConfiguration();
            config.DashboardConnectionString = ConfigurationManager.GetSetting(KeyVaultSecrets.StorageReadWriteConnectionString);
            config.StorageConnectionString = ConfigurationManager.GetSetting(KeyVaultSecrets.StorageReadWriteConnectionString);

Exception

System.InvalidOperationException occurred HResult=0x80131509 Message=Failed to validate Microsoft Azure WebJobs SDK Dashboard connection string. The Microsoft Azure Storage account connection string is not formatted correctly. Please visit http://msdn.microsoft.com/en-us/library/windowsazure/ee758697.aspx for details about configuring Microsoft Azure Storage connection strings. Source= StackTrace: at Microsoft.Azure.WebJobs.Host.Executors.StorageAccountParser.ParseAccount(String connectionString, String connectionStringName, IServiceProvider services) at Microsoft.Azure.WebJobs.Host.Executors.DefaultStorageAccountProvider.set_DashboardConnectionString(String value)

Is there any way to use SAS Token while creating configuration for JobHostConfiguration?

2
azureazure-storageazure-webjobs

2 Answers

2
votes

SAS tokens are not yet supported here. However, you don't need to put the connection strings in your code. You should be placing them in appsettings instead! Like so:

<configuration>
  <connectionStrings>
    <!-- The format of the connection string is "DefaultEndpointsProtocol=https;AccountName=NAME;AccountKey=KEY" -->
    <!-- For local execution, the value can be set either in this config file or through environment variables -->
    <add name="AzureWebJobsDashboard" connectionString="xxxxxxx" />
    <add name="AzureWebJobsStorage" connectionString="yyyyyyyyy" />
  </connectionStrings>

And furthermore, you can then set your appsettings directly on your site.

That said, in the latest nightly builds, we now have support for running [Timer] and [Singleton] on SAS connection strings; and you can disable logging by explicitly setting config.DashboardConnectionString to null. But we don't yet have support for binding [Blob] and other storage to SAS urls. See the unit test from this commit: https://github.com/Azure/azure-webjobs-sdk/blob/bd2d9ea34f13fc16569e8d8f80bafdb605eeb6f9/test/Microsoft.Azure.WebJobs.Host.EndToEndTests/InternalStorageTests.cs

0
votes

We can use the SAS in a connection string. Because the SAS contains the information required to authenticate the request, a connection string with a SAS provides the protocol, the service endpoint, and the necessary credentials to access the resource according to that link

In this way, StorageAccountParser.ParseAccount(String connectionString) can parse the connection string

BlobEndpoint=https://storagesample.blob.core.windows.net; SharedAccessSignature=sv=2015-04-05&sr=b&si=tutorial-policy-635959936145100803&sig=9aCzs76n0E7y5BpEi2GvsSv433BZa22leDOZXX%2BXXIU%3D