Setting different permissions for SAS Token on ADLS Gen2

PS 396 Reputation points
2024-08-19T21:28:50.0066667+00:00

Hello,

I'm interested to know if it's possible to set two different sets of permissions for an access policy on ADLS Gen2 Storage - one at the container level, and another at the folder level. I'm looking for a setup like this:

  1. Access Policy setting at container level - rl
  2. Access Policy setting at folder level - rlw

Could someone please share any resources or insights that could help me achieve this? Thank you!

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,485 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,224 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,920 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sina Salam 12,011 Reputation points
    2024-08-19T22:44:03.6366667+00:00

    Hello PS,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to Set different permissions for SAS Token on ADLS Gen2

    To achieve different sets of permissions at different levels (container and folder) in Azure Data Lake Storage Gen2 (ADLS Gen2), you'll need to understand and apply both Shared Access Signatures (SAS) and Access Control Lists (ACLs).

    • First, Set Up SAS Token for Container-Level Access which will allow access to the entire container with read and list permissions but does not grant write permissions.
    • Secondly, Set Up SAS Token for Folder-Level Access which will be used to access a specific folder with Read`, List, and Write permissions.
    • Then, apply Access Control Lists (ACLs) for Fine-Grained Control
    • Finally, combine SAS Token and ACL to:
      • Grants basic Read and List permissions at the container level.
      • Allow more specific permissions at the folder level. Ensure the folder-level SAS token and ACLs are applied properly for the desired Read, List, and Write access.

    For documentation as requested:

    https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

    https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-create

    https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acls-overview

    You can also read more from the additional resources available by the right side of this page.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam


  2. Nehruji R 8,146 Reputation points Microsoft Vendor
    2024-08-27T12:23:59.0333333+00:00

    Hello PS,

    Greetings! Welcome to Microsoft Q&A Platform.

    Yes, you’re right. ACLs (Access Control Lists) and SAS (Shared Access Signature) tokens operate independently in Azure. ACLs are used to manage permissions at the file and directory level within Azure Data Lake Storage Gen2, while SAS tokens provide a way to grant limited access to Azure Storage resources without sharing the account key. Since ACLs are not applicable to SAS tokens, you can manage access using either method,

    Using SAS Tokens:

    • Generate a SAS token with the required permissions for the folder.
    • Use this SAS token to access the folder and perform the allowed operations.

    Using ACLs:

    • Set ACLs on the folder to specify permissions for users or groups.
    • Ensure that the users or services accessing the folder have the necessary permissions set by the ACLs.
    • If you need to provide access to external users or services without sharing your account key, SAS tokens are the way to go and for internal access control within your organization, ACLs provide more granular permissions.Hope this helps! Please let us know if you have any further queries. I’m happy to assist you further.      

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.