| services | platforms | author |
|---|---|---|
app-service, functions |
dotnet |
lindydonna |
This is a sample HTTP trigger Azure Function that returns a SAS token for Azure Storage for the specified container, blob, and permissions. A SAS token provides a secure way for client apps to access particular storage account resources, without giving them the full control of the storage access key.
##Deploy to Azure
The automated deployment provisions an Azure Storage account and an Azure Function in a Dynamic compute plan and sets up deployment from source control.
The deployment template has a parameter manualIntegration which controls whether or not a deployment trigger is registered with GitHub. Use true if you are deploying from the main Azure-Samples repo (does not register hook), false otherwise (registers hook). Since a value of false registers the deployment hook with GitHub, deployment will fail if you don't have write permissions to the repo.
When you create a storage account, you get two storage access keys, which provide full control over the storage account contents. Since these keys are admin credentials, they should never be distributed with a client app.
Instead, clients should use a shared access signature (SAS) for delegated access to storage resources. A SAS token, which is appended to a storage resource URI, provides access to only a particular resource for a limited period of time. A SAS token can be scoped to a blob or a container and specifies access permissions (such as read or write).
A SAS token is usually generated server-side, using the account access key and the Azure Storage SDK. This sample shows how to use an Azure Function as a SAS token service. Web and mobile clients can call this function to request access to a particular container or blob. By default, the sample creates a token that expires after an hour, but this can be customized.
If the function will be called from a mobile client or a JavaScript web app, we recommend that you add authentication to your Function using App Service Authentication/Authorization. The API key is usually insufficent for security purposes since it can be discovered by sniffing traffic or decompiling the client app.
##Calling the function
To request a SAS token, send an HTTP POST to your function URI, including the API key if you've specified one. The request body format is:
container- required. Name of container in storage accountblobName- optional. Used to scope permissions to a particular blobpermissions- optional. Default value is read permissions. The format matches the enum values of SharedAccessBlobPermissions. Possible values are "Read", "Write", "Delete", "List", "Add", "Create". Comma-separate multiple permissions, such as "Read, Write, Create".
Response:
token- SAS token, including a leading "?"uri- Resource URI with token appended as query string