Microsoft Fabric Updates Blog

OneLake shared access signatures (SAS) now available in public preview

You can now delegate access to OneLake using short-lived OneLake shared access signatures (SAS). OneLake SAS make it easy to provide limited access to applications which may not support Microsoft Entra, as well as support applications serving as proxy layers between users and their data in OneLake. OneLake SAS follow security best practices for delegated access by always being short-lived and user-delegated.

What are OneLake SAS?

A shared access signature (SAS) is a token appended to the URI for a OneLake resource, containing a special set of query parameters which indicate the resources and permission levels granted to the client. OneLake SAS are distinct from Azure Storage SAS in the following ways:

  • OneLake SAS are always short-lived, with a maximum lifetime of 1 hour.
  • OneLake SAS are always user-delegated, and must be backed by an Entra Identity.
  • OneLake SAS only grant access to folders and files within Fabric data items, like lakehouses.

Getting started with OneLake SAS

The first step to using OneLake SAS is to turn on SAS authentication for your workspace. There is a new OneLake delegated workspace setting, Authenticate with OneLake user-delegated SAS tokens, which manages whether a workspace will accept SAS as a valid authentication method. Once your workspace admin turns this setting on, you can start using OneLake SAS to connect to your workspace.

Note: The setting may include a note that SAS is currently non-functional. This text is no longer valid and will be removed in a future update!

Creating a OneLake SAS

After turning on OneLake SAS for your workspace, it’s time to build one! First, you’ll need to request a user delegation key via the Get User Delegation Key API. This key is signed with your Entra identity, so any SAS signed with this key cannot exceed your permissions. Also remember that OneLake SAS are always short-lived, so the duration of your user delegation key cannot exceed 1 hour.

Once you’ve requested your key, you can build your SAS by setting its parameters, like start and expiry time. You can also further scope down the permissions of the SAS, ensuring the delegated client has the minimum permissions required to complete its task. You can learn more about the different OneLake SAS parameters in Creating a OneLake SAS.

For more information, see our documentation.

OneLake SAS are also compatible with Azure Storage tools and SDKs for creating OneLake SAS. For example, you can use the Az.Storage PowerShell module or the Azure Storage Python SDK to request a user delegation key and generate a SAS token quickly and easily!

Try it today

OneLake SAS delivers on OneLake’s promise of an open ecosystem by providing even more integration opportunities to bring new data into OneLake. By providing delegated access governed with security best practices, OneLake SAS are a powerful new tool for bringing even more data and applications to OneLake, cementing OneLake as the only data lake your organization will ever need. For more information, see our documentation.

Liittyvät blogikirjoitukset

OneLake shared access signatures (SAS) now available in public preview

lokakuuta 30, 2024 tekijä Patrick LeBlanc

Welcome to the October 2024 Update! Here are a few, select highlights of the many we have for Fabric this month. API for GraphQL support for Service Principal Names (SPNs). Introducing a powerful new feature in Lakehouses: Sorting, Filtering, and Searching capabilities. An addition to KQL Queryset that will revolutionize the way you interact with … Continue reading “Fabric October 2024 Monthly Update”

lokakuuta 22, 2024 tekijä Elizabeth Oldag

Shortcuts in Microsoft OneLake allow you to unify your data across domains and clouds by creating a single virtual data lake for your entire enterprise. With shortcuts, data can be reused multiple times, making it simple to consolidate data, without data movement, data duplication or changing ownership of the data. The consumption of data via … Continue reading “Use OneLake shortcuts to access data across capacities: Even when the producing capacity is paused!”