Intro

In the previous post I described TableRequestOptions class and provided some basic code samples. In this post I am going to cover Shared Access Signatures for Azure Storage Table service.

Prerequisites

Refer to previous posts to get started with Azure Storage Table Service.

Test Data

Execute following code to fill your test table with required data:

var auBatch = new TableBatchOperation();
var nzBatch = new TableBatchOperation();
var euBatch = new TableBatchOperation();
for (var i = 0; i < 100; i++)
{
    auBatch.Insert(new Profile("AU", $"EMP{i:D3}", $"John Doe {i}", $"The {i} employee of the company"));
    nzBatch.Insert(new Profile("NZ", $"EMP{i:D3}", $"John Doe {i}", $"The {i} employee of the company"));
    euBatch.Insert(new Profile("EU", $"EMP{i:D3}", $"John Doe {i}", $"The {i} employee of the company"));
}

table.ExecuteBatch(auBatch);
table.ExecuteBatch(nzBatch);
table.ExecuteBatch(euBatch);

Code

I already covered SAS in one of previous posts, so to fully understand SAS start with Part 8: Azure Queue + .NET - SAS. In this post I will cover only features specific to Azure Table Service.

There are couple of differences between SAS in Azure Queue Service and Azure Table Service. The first major difference is that users can grant access to:

  • An entire table
  • A table range defined by a table, a partition key range and row key range

So you can control access rights for partitions/rows.

Consider the following code:

var sasToken = table.GetSharedAccessSignature(new SharedAccessTablePolicy
{
    SharedAccessExpiryTime = DateTimeOffset.Now.AddMinutes(30),
    Permissions = SharedAccessTablePermissions.Query
});

var sasTable = new CloudTable(table.Uri, new StorageCredentials(sasToken));
var availiableRecords = sasTable.CreateQuery<Profile>().ToList().Count;
Console.WriteLine(availiableRecords);

This code generates token that gives access to whole table, so code will output 300 - the exact number of records accross all partitions of the given table.

Consider the next example:

 var sasToken = table.GetSharedAccessSignature(new SharedAccessTablePolicy
{
    SharedAccessExpiryTime = DateTimeOffset.Now.AddMinutes(30),
    Permissions = SharedAccessTablePermissions.Query
}, 
null, // Policy name
"AU", // Start PartitionKey
null, // Start RowKey
"AU", // End PartitionKey
null); // End RowKey 

var sasTable = new CloudTable(table.Uri, new StorageCredentials(sasToken));
var availiableRecords = sasTable.CreateQuery<Profile>().ToList().Count;
Console.WriteLine(availiableRecords);

This code outputs 100 - the number of rows in AU partition. If we set End PartitionKey to EU - code will output 200. It is the number of items in two partitions. We can create SAS for any number of SEQUENTIAL rows in Azure Table service. It is impossible to create single SAS for AU and NZ partitions because there is EU partition between them.

Lets modify code to include AU, EU partitions completely and some rows from NZ partition:

var sasToken = table.GetSharedAccessSignature(new SharedAccessTablePolicy
{
    SharedAccessExpiryTime = DateTimeOffset.Now.AddMinutes(30),
    Permissions = SharedAccessTablePermissions.Query
}, 
null, // Policy name
"AU", // Start PartitionKey
"EMP001", // Start RowKey
"NZ", // End PartitionKey
"EMP010"); // End RowKey 

var sasTable = new CloudTable(table.Uri, new StorageCredentials(sasToken));
var availiableRecords = sasTable.CreateQuery<Profile>().ToList().Count;
Console.WriteLine(availiableRecords);

This code outputs 210. So we grant access to AU and EU partitions and 10 rows from NZ partition.

Summary

In this post I covered features specific to SAS of Azure Table Service and provided basic code examples. For more information refer to Introducing Table SAS (Shared Access Signature), Queue SAS and update to Blob SAS


;