Support using existing sas tokens for multi-tenant scenarios

[sitereactor]

When operating in multi-tenant scenarios SAS Tokens for Blob Storage Containers might already exist and be used instead of full account access with storage keys. We have a scenario where we'd like to use this plugin, but we cannot provide storage credentials to blob storage, but we do have a SAS Token for a specific container where the plugin can storage the blob (such a token-to-container setup exists for each tenant).

Currently, when you pass StorageCredentials(TokenCredential) to AzureStorageAttachmentConfiguration it will just result in the following error

System.Exception: Invalid configuration: .WithBlobSasUri() requires account shared key and cannot be used with service/container Shared Access Signature.
  at Microsoft.Azure.ServiceBus.AzureStorageAttachmentConfigurationExtensions.WithBlobSasUri(AzureStorageAttachmentConfiguration azureStorageAttachmentConfiguration, String messagePropertyToIdentifySasUri, Nullable`1 sasTokenValidationTime)

We'd be happy to submit a pull request for adding this capability if its something you think would be valuable to include in the library. So submitting this feature request to support existing SAS tokens end to end for this plugin to see if could be added.

I realize that the same type of SAS Uri cannot be generated when using a SAS Token, but think its an okay tradeoff in this type of scenario. But let me know what you think.

Thanks!

[sitereactor]

I guess this speaks to this TODO:

ServiceBus.AttachmentPlugin/src/ServiceBus.AttachmentPlugin/AzureStorageAttachment.cs

Line 76 in fcfeb65

// TODO: only possible if connection string is used

:)

[SeanFeldman]

@sitereactor, I'd love to find a way to do that, but my understanding was that to generate a SAS token, a connection string with service key has to be used. In case you find out there's another option, I'll be happy for a PR or link to how to achieve it.

Also, Storage v12 is a major redesign of how things work. I've already started looking into that and maybe there's a way to achieve what you're looking for. User delegation SAS sounds like something that would work.

[SeanFeldman]

@sitereactor, did you dig any deeper to see if anything has changed in Storage SDK v12?

[sitereactor]

Hey @SeanFeldman sorry about the lack of response. Got caught up in some work.

You are right about not being able to generate a SAS Token with a SAS Token, so the solution I would propose for the current Azure Storage API is to "bring your own token" and use that end to end. One approach could be to make it possible to pass your own implementation of TokenGenerator to handle the generation of a new SAS Token (possibly just a delegate as its a simple signature). With that it would then be possible to pass your own SAS Token and handle how it should be used as part of

ServiceBus.AttachmentPlugin/src/ServiceBus.AttachmentPlugin/AzureStorageAttachment.cs

Line 76 in fcfeb65

// TODO: only possible if connection string is used

I can try and wip up a gist with an example.

I haven't looked into the v12 SDK yet, but will check it out as well.

[SeanFeldman]

One approach could be to make it possible to pass your own implementation of TokenGenerator to handle the generation of a new SAS Token (possibly just a delegate as its a simple signature). With that it would then be possible to pass your own SAS Token and handle how it should be used as part of

I'm somewhat confused. TokenGenerator works only when the CloudBlockBlob is generated using a key (StorageCredentials.IsSharedKey == true). If you have a custom TokenGenerator, it would need to be also created a key or else it won't work.

I can try and wip up a gist with an example.

Please do. That will help me understand what do you have in mind.

I haven't looked into the v12 SDK yet, but will check it out as well.

That one will be completely different as v12 and v11 are two different SDK/APIs.