如何在 C# 中使用服务主体（clientId 和 clientSecret）为 Azure Data Lake Store（Gen-2）创建 SAS 令牌？

Question

I have the clientId and clientSecret of Data Lake Store (Gen-2) and I am looking for a way to create SAS token for it in a programmatic way using C#. I have gone through the documentation but have not find a way to create a SAS token. Any guidance will be appreciated. Thanks.

As suggested by Md Farid Uddin Kiron, I used this code but unsuccessful:

//Token Request End Point
string tokenUrl = $"https://login.microsoftonline.com/<tenantId>.onmicrosoft.com/oauth2/token";
var tokenRequest = new HttpRequestMessage(HttpMethod.Post, tokenUrl);

//I am Using client_credentials as It is mostly recommended
tokenRequest.Content = new FormUrlEncodedContent(new Dictionary<string, string>
            {
                ["grant_type"] = "client_credentials",
                ["client_id"] = "--------",
                ["client_secret"] = "-------",
                ["resource"] = "https://<datalake gen2 name>.dfs.core.windows.net/"
            });

            dynamic json;
AccessTokenClass results = new AccessTokenClass();
HttpClient client = new HttpClient();

var tokenResponse = client.SendAsync(tokenRequest).GetAwaiter();

json = tokenResponse.GetResult().Content.ReadAsStringAsync().GetAwaiter();
results = JsonConvert.DeserializeObject<AccessTokenClass>(json);

It is giving me status 400 error.

Answer 1

If you want to use Azure AD access token to access Azure data lake gen2, please refer to the following code

1. create a service principal and assign Azure RABC role for the sp.

az login
az account set --subscription "<your subscription id>"
# it will assign Storage Blob Data Contributor to the sp at subscription level
az ad sp create-for-rbac -n "mysample" --role Storage Blob Data Contributor

2. Code

string tokenUrl = $"https://login.microsoftonline.com/<tenantId>.onmicrosoft.com/oauth2/token";
var tokenRequest = new HttpRequestMessage(HttpMethod.Post, tokenUrl);

//I am Using client_credentials as It is mostly recommended
tokenRequest.Content = new FormUrlEncodedContent(new Dictionary<string, string>
            {
                ["grant_type"] = "client_credentials",
                ["client_id"] = "--------",
                ["client_secret"] = "-------",
                ["resource"] = "https://storage.azure.com/"
            });

            dynamic json;
AccessTokenClass results = new AccessTokenClass();
HttpClient client = new HttpClient();

var tokenResponse = client.SendAsync(tokenRequest).GetAwaiter();

json = tokenResponse.GetResult().Content.ReadAsStringAsync().GetAwaiter();
results = JsonConvert.DeserializeObject<AccessTokenClass>(json);

---

If you want to create sas token, please refer to the following steps

1. get the account key via Azure Portal

2. code

var key = account key you copy";
            var accountName = "testadls05";
            StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, key);
            AccountSasBuilder sas = new AccountSasBuilder
            {
                Protocol = SasProtocol.None,
                Services = AccountSasServices.Blobs,
                ResourceTypes = AccountSasResourceTypes.All,
                StartsOn = DateTimeOffset.UtcNow.AddHours(-1),
                ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),

            };
            sas.SetPermissions(AccountSasPermissions.All);

            var uri = $"https://{accountName}.dfs.core.windows.net/";

            UriBuilder sasUri = new UriBuilder(uri);
            sasUri.Query = sas.ToSasQueryParameters(credential).ToString();

            DataLakeServiceClient service = new DataLakeServiceClient(sasUri.Uri);
            var result =service.GetFileSystems().First();
            Console.WriteLine(result.Name);

Answer 2

Following code can be used to create SAS token for datalake gen2 using service principles:

Here Password is Client Secret and Username is ClientId .

$securePassword = ConvertTo-SecureString -AsPlainText -Force -String $Password
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserName, $securePassword
Connect-AzAccount -Credential $Credential -ServicePrincipal -Tenant $Tenant -Subscription $SubscriptionName

Write-Host -ForegroundColor Green "Creating an account level SAS Token.."
## Get the storage account
$storageAcc=Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccName
## Get the storage account context
$ctx=$storageAcc.Context
## Creates an account-level SAS token.
New-AzStorageAccountSASToken -Context $ctx -Service Blob,File,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup" -StartTime "2020-06-18" -ExpiryTime "2022-06-18"