Skip to content

Node.js Azure Function for getting a blob or container Storage SAS token

License

Notifications You must be signed in to change notification settings

bibarrav/functions-node-sas-token

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

services platforms author
app-service, functions
nodejs
lindydonna

Node.js Azure Function for generating SAS tokens

This is a sample HTTP trigger Azure Function that returns a SAS token for Azure Storage for the specified container, blob, and permissions. A SAS token provides a secure way for client apps to access particular storage account resources, without giving them the full control of the storage access key.

##Deploy to Azure

The automated deployment provisions an Azure Storage account and an Azure Function in a Dynamic compute plan and sets up deployment from source control.

The deployment template has a parameter manualIntegration which controls whether or not a deployment trigger is registered with GitHub. Use true if you are deploying from the main Azure-Samples repo (does not register hook), false otherwise (registers hook). Since a value of false registers the deployment hook with GitHub, deployment will fail if you don't have write permissions to the repo.

How it works

When you create a storage account, you get two storage access keys, which provide full control over the storage account contents. Since these keys are admin credentials, they should never be distributed with a client app.

Instead, clients should use a shared access signature (SAS) for delegated access to storage resources. A SAS token, which is appended to a storage resource URI, provides access to only a particular resource for a limited period of time. A SAS token can be scoped to a blob or a container and specifies access permissions (such as read or write).

A SAS token is usually generated server-side, using the account access key and the Azure Storage SDK. This sample shows how to use an Azure Function as a SAS token service. Web and mobile clients can call this function to request access to a particular container or blob. By default, the sample creates a token that expires after an hour, but this can be customized.

If the function will be called from a mobile client or a JavaScript web app, we recommend that you add authentication to your Function using App Service Authentication/Authorization. The API key is usually insufficent for security purposes since it can be discovered by sniffing traffic or decompiling the client app.

##Calling the function

To request a SAS token, send an HTTP POST to your function URI, including the API key if you've specified one. The request body format is:

  • container - required. Name of container in storage account
  • blobName - optional. Used to scope permissions to a particular blob
  • permissions - optional. Default value is read permissions. Possible values are: "a" (Add), "r" (Read), "w" (Write), "d" (Delete), "l" (List). Concatenate multiple permissions, such as "rwa" = Read, Write, Add

Response:

  • token - SAS token, which does not include a leading "?"
  • uri - Resource URI with token appended as query string

Learn more

About

Node.js Azure Function for getting a blob or container Storage SAS token

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Batchfile 65.1%
  • JavaScript 34.9%