OneLake shared access signatures (SAS) now available in public preview
You can now delegate access to OneLake using short-lived OneLake shared access signatures (SAS). OneLake SAS make it easy to provide limited access to applications which may not support Microsoft Entra, as well as support applications serving as proxy layers between users and their data in OneLake. OneLake SAS follow security best practices for delegated access by always being short-lived and user-delegated.
What are OneLake SAS?
A shared access signature (SAS) is a token appended to the URI for a OneLake resource, containing a special set of query parameters which indicate the resources and permission levels granted to the client. OneLake SAS are distinct from Azure Storage SAS in the following ways:
- OneLake SAS are always short-lived, with a maximum lifetime of 1 hour.
- OneLake SAS are always user-delegated, and must be backed by an Entra Identity.
- OneLake SAS only grant access to folders and files within Fabric data items, like lakehouses.
Getting started with OneLake SAS
The first step to using OneLake SAS is to turn on SAS authentication for your workspace. There is a new OneLake delegated workspace setting, Authenticate with OneLake user-delegated SAS tokens, which manages whether a workspace will accept SAS as a valid authentication method. Once your workspace admin turns this setting on, you can start using OneLake SAS to connect to your workspace.
Note: The setting may include a note that SAS is currently non-functional. This text is no longer valid and will be removed in a future update!
Creating a OneLake SAS
After turning on OneLake SAS for your workspace, it’s time to build one! First, you’ll need to request a user delegation key via the Get User Delegation Key API. This key is signed with your Entra identity, so any SAS signed with this key cannot exceed your permissions. Also remember that OneLake SAS are always short-lived, so the duration of your user delegation key cannot exceed 1 hour.
Once you’ve requested your key, you can build your SAS by setting its parameters, like start and expiry time. You can also further scope down the permissions of the SAS, ensuring the delegated client has the minimum permissions required to complete its task. You can learn more about the different OneLake SAS parameters in Creating a OneLake SAS.
For more information, see our documentation.
OneLake SAS are also compatible with Azure Storage tools and SDKs for creating OneLake SAS. For example, you can use the Az.Storage PowerShell module or the Azure Storage Python SDK to request a user delegation key and generate a SAS token quickly and easily!
Try it today
OneLake SAS delivers on OneLake’s promise of an open ecosystem by providing even more integration opportunities to bring new data into OneLake. By providing delegated access governed with security best practices, OneLake SAS are a powerful new tool for bringing even more data and applications to OneLake, cementing OneLake as the only data lake your organization will ever need. For more information, see our documentation.
