JamesReynolds-9217 avatar image
0 Votes"
JamesReynolds-9217 asked SaurabhSharma-msft commented

Key Vault Service SAS token, container level, for Data Factory

Hi All,
I'm trying to put together a solution for reading and writing to a container using a service sas token managed by keyvault. I've been through all the setup. There are quite a few web pages about account sas which I can get working, not so many about service sas. When key vault generates the sas token for me, there is always a problem with it.

Has anyone actually got it working please?

So, I've followed the instructions here which already had container level service sas specified

To prove it works, I'm using a managed identity authed web activity in DF to get the sas token value out of key vault, so I can see the generated token. I then attach my url for the storageaccount/container to the token and try to connect using azure storage explorer.
I get Server failed to authenticate the request :-(

I assume this is user error, or there is some quirk or other that I need to do.
Any advice appreciated.

· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JamesReynolds-9217 Thanks for using Microsoft Q&A.

I have not tried using web activity to get the SAS token however, I am able to connect to Azure Key Vault using linked services using SAS token. I have setup this Azure Key Vault to access the storage account using SAS tokens by following the steps mentioned in the link using the document -

  • Give Key Vault Access to Storage Account

  • Give your user principal access to all storage account permissions, on your Key Vault instance

  • Create a Key Vault Managed storage account

  • Create a Shared Access Signature Token

  • Generate SAS Definition

Also, while connecting from ADF Linked Service I am passing the secret name as - <Storage Account Name>-<SAS DefinitionName>.

Please try and let me know if this works for you.

0 Votes 0 ·
image.png (51.9 KiB)

Hi @SaurabhSharma-msft ,
Thanks for your response, can you confirm for me please, that this is a service sas token and has restricted access to a container only? I do get a token out but it doesn't work, but account sas does work which is my sticking point.

0 Votes 0 ·

@JamesReynolds-9217 ok, I have used an account SAS token only. I have to check with the service sas token if that's the issue.

0 Votes 0 ·
Show more comments

0 Answers