Generate SAS token for a directory in Azure blob storage in Python

1
votes

I'm attempting to use Python in order to limit which parts of my Azure storage different users can access.

I have been looking for code that can generate a SAS token for a specific directory in my Storage container. I am hoping that generating a SAS token on my directory, will give me access to the files/blobs it contains. (Just like how it works on azure.portal, where I can right-click my directory and press 'Generate SAS'. however I have not been able to find any Python code that could archive this. All I can find are the following 3 function:

generate_account_sas()
generate_container_sas()
generate_blob_sas()

Found here: https://docs.microsoft.com/en-us/python/api/azure-storage-blob/azure.storage.blob?view=azure-python

I have attemted to use the 'generate_blob_sas()' function but using the name of my directory instead of a file/blob.

from datetime import datetime, timedelta
from azure.storage.blob import BlobClient, generate_blob_sas, BlobSasPermissions

account_name = 'STORAGE_ACCOUNT_NAME'
account_key = 'STORAGE_ACCOUNT_ACCESS_KEY'
container_name = 'CONTAINER_NAME'
blob_name = 'NAME OF MY DIRECTORY'

def get_blob_sas(account_name,account_key, container_name, blob_name):
    sas_blob = generate_blob_sas(account_name=account_name, 
                                container_name=container_name,
                                blob_name=blob_name,
                                account_key=account_key,
                                permission=BlobSasPermissions(read=True),
                                expiry=datetime.utcnow() + timedelta(hours=1))
    return sas_blob

blob = get_blob_sas(account_name,account_key, container_name, blob_name)
url = 'https://'+account_name+'.blob.core.windows.net/'+container_name+'/'+blob_name+'?'+blob

However when I attempt to use this url, I get the following response:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
   <Code>AuthenticationFailed</Code>
   <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:31qv254a-201e-0509-3f26-8587fb000000 Time:2021-07-30T09:37:21.1142028Z</Message>
   <AuthenticationErrorDetail>Signature did not match. String to sign used was rt 2021-07-30T10:08:37Z /blob/my_account/my_container/my_directory/my_file.png 2020-06-12 b </AuthenticationErrorDetail>
</Error>

Is there some other way for me, to generate a SAS token on a directory?

1
pythonazureazure-blob-storageazureportalsas-token

1 Answers

1
votes

From your description, it looks like your storage account is Data Lake Gen2. If that's the case, then you will need to use a different SDK.

The SDK you're using is for Azure Blob Storage (non Data Lake Gen2) accounts where folders are virtual folders and not the real ones.

The SDK you would want to use is azure-storage-file-datalake and the method you would want to use for generating a SAS token on a directory will be generate_file_system_sas.