Is there a limit on the amout of Azure Blob Storage SAS keys generated per hour?

5
votes

According to this article detailing the limits of Azure Storage, there is a limit on the number of Azure Resource Manager requests that can be made.

Additionally, this article details limits of the ARM API. A post here claims they ran into issues running a list operations after making too many requests.

My question is, is there a limit on number of SAS Keys generated per hour for blob storage? Is creating a SAS Key an ARM event?

For example, if I'm using the Python Azure Storage SDK and I attempt to create 160,000 SAS keys in one hour for various blobs (files in containers in storage accounts), will I be throttled or stopped?

My application depends on these keys for allowing micro services access to protected data, but I cannot scale this application if I cannot create a large amount of SAS keys in a short period of time.

1
azureazure-storageazure-resource-managerazure-blob-storageazure-sdk

1 Answers

7
votes

Creating a SAS token does not interact with the Azure Api at all -

From Using shared access signatures

The SAS token is a string you generate on the client side A SAS token you generate with the storage client library, for example, is not tracked by Azure Storage in any way. You can create an unlimited number of SAS tokens on the client side.

I couldn't find code for building a Storage SAS token, but the the principal is similar to the following (from here) 

private static string createToken(string resourceUri, string keyName, string key)
{
    TimeSpan sinceEpoch = DateTime.UtcNow - new DateTime(1970, 1, 1);
    var week = 60 * 60 * 24 * 7;
    var expiry = Convert.ToString((int)sinceEpoch.TotalSeconds + week);
    string stringToSign = HttpUtility.UrlEncode(resourceUri) + "\n" + expiry;
    HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));
    var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
    var sasToken = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}", HttpUtility.UrlEncode(resourceUri), HttpUtility.UrlEncode(signature), expiry, keyName);
    return sasToken;
}

Basically a SAS token is a hash of the storage credentials, that are locked down to provide a subset of services. You can create as many as you require without any interaction with the Azure API.