SAS Token or ACL for DataLake directory (namespace) permissions? #65
Description
Hello,
I have an Azure Function that is triggered when a blob is uploaded to nested directory within a DataLake Gen2 storage container.
- I do not want to give the Function permissions on the entire DataLake (via connection string in Function app settings).
- Instead, I need to scope the Function's credentials down to a single, nested namespace.
How is this done?
Tried so far:
-
It appears SAS tokens can only be generated at the first level of the DataLake (container level).
- This does not work for my use-case as there is one top-level container for the entire DataLake (so in essence, the Function still has root access to the DataLake)
- I want to scope permissions deeper, to the nested directory (namespace) level
-
It appears Access Control Lists do not handle this scenario either.
- They don't grant a specific permission key/token/etc that can be used by a Function app setting
- I'd still have to grant the Function full root access to the DataLake, then hope the ACL perm works
- In addition, there is no GUI for managing ACL's (outside of Azure Storage Explorer for granting permissions) so they will inevitably be lost/forgotton/etc.
How do we scope permissions to a DataLake namespace in a way compatible with Azure Functions?
Thank you