Skip to content

STG100 - Queue User Delegation SAS #46311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Aug 20, 2025
Merged

STG100 - Queue User Delegation SAS #46311

merged 17 commits into from
Aug 20, 2025

Conversation

ibrandes
Copy link
Member

@ibrandes ibrandes commented Aug 7, 2025
edited
Loading

🔐 New Feature: User Delegation SAS Support for Azure Queue Storage

This PR adds comprehensive support for generating User Delegation Shared Access Signatures (SAS) for Azure Queue Storage. These enhancements allow SAS tokens to be scoped to specific Entra ID users, improving security and access control.

📦 Key Additions

  1. New Models Introduced

    • UserDelegationKey: Represents a user-scoped key with metadata like object ID, tenant ID, start/expiry times, service, version, and base64 value.
    • KeyInfo: Encapsulates start and expiry timestamps for delegation keys.
    • ServicesGetUserDelegationKeyHeaders: Captures HTTP headers returned when fetching a user delegation key.

  2. Updated SAS Signature Logic

    • QueueSasImplUtil now supports generating SAS tokens signed with a UserDelegationKey.
    • New method generateUserDelegationSas(...) added to both QueueAsyncClient and QueueClient.

  3. Extended Signature Values

    • QueueServiceSasSignatureValues now includes a delegatedUserObjectId field to bind SAS usage to a specific Entra ID user.

  4. Client Enhancements

    • QueueServiceClient and QueueServiceAsyncClient now support fetching user delegation keys via getUserDelegationKey(...).

🧪 Test Coverage

New tests validate:

  • Successful SAS generation and usage with delegated user object ID.
  • Failure scenarios when the SAS is used without proper Entra ID token.
  • Integration of user delegation SAS with queue operations like sendMessage, getProperties, and receiveMessages.

@github-actions github-actions bot added the Storage Storage Service (Queues, Blobs, Files) label Aug 7, 2025
@Azure Azure deleted a comment from azure-pipelines bot Aug 7, 2025
@ibrandes
Copy link
Member Author

ibrandes commented Aug 7, 2025

/azp run java - pullrequest

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

@ibrandes ibrandes marked this pull request as ready for review August 7, 2025 20:16
@ibrandes ibrandes changed the title Queue User Delegation SAS STG100 - Queue User Delegation SAS Aug 17, 2025
@ibrandes ibrandes requested a review from Copilot August 17, 2025 20:09
Copilot
Copilot AI reviewed Aug 17, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces User Delegation Shared Access Signatures (SAS) support for Azure Queue Storage, enabling SAS tokens to be scoped to specific Entra ID users for enhanced security and access control.

Key Changes:

  • Adds user delegation key retrieval functionality to queue service clients
  • Extends SAS signature generation to support user delegation keys
  • Introduces new model classes for user delegation key management
  • Updates API specifications to use the new 2026-02-06 service version

Reviewed Changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
swagger/README.md Updates API specification to 2026-02-06 version and adds new custom types
QueueTestBase.java Adds test utilities and OAuth client helper methods for user delegation testing
QueueServiceAsyncApiTests.java Adds tests for getUserDelegationKey functionality in async client
QueueServiceApiTests.java Adds tests for getUserDelegationKey functionality in sync client
QueueSasClientTests.java Adds comprehensive tests for user delegation SAS generation and usage
QueueSasAsyncClientTests.java Adds async tests for user delegation SAS functionality
QueueAsyncApiTests.java Minor method name correction for OAuth service client
QueueServiceSasSignatureValues.java Adds delegatedUserObjectId field and related methods
UserDelegationKey.java New generated model class for user delegation key representation
KeyInfo.java New generated model class for key timing information
QueueSasImplUtil.java Core implementation for user delegation SAS generation
ServicesGetUserDelegationKeyHeaders.java New generated class for HTTP headers
ServicesImpl.java Adds service implementation for getUserDelegationKey operations
QueueServiceClient.java Adds getUserDelegationKey methods to sync service client
QueueServiceAsyncClient.java Adds getUserDelegationKey methods to async service client
QueueClient.java Adds generateUserDelegationSas methods to sync queue client
QueueAsyncClient.java Adds generateUserDelegationSas methods to async queue client

kyleknap
kyleknap reviewed Aug 19, 2025
View reviewed changes
Copy link
Member

@kyleknap kyleknap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Just had a couple of comments.

kyleknap
kyleknap approved these changes Aug 19, 2025
View reviewed changes
Copy link
Member

@kyleknap kyleknap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 🚢

Base automatically changed from stg100/blobPrincipalBoundIdentitySas to feature/storage/stg100base August 20, 2025 18:05
@ibrandes ibrandes changed the base branch from feature/storage/stg100base to stg100/dataLakePrincipalBoundIdentitySas August 20, 2025 18:18
Base automatically changed from stg100/dataLakePrincipalBoundIdentitySas to feature/storage/stg100base August 20, 2025 19:15
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 20, 2025
edited
Loading

API Change Check

APIView identified API level changes in this PR and created the following API reviews

com.azure:azure-storage-queue

@ibrandes
Copy link
Member Author

merging - failure is just from re-running and the artifacts already existing.

@ibrandes ibrandes merged commit 3f21e08 into feature/storage/stg100base Aug 20, 2025
15 of 18 checks passed
@ibrandes ibrandes deleted the stg100/queueUserDelegationSAS branch August 20, 2025 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@kyleknap kyleknap kyleknap approved these changes

@seanmcc-msft seanmcc-msft Awaiting requested review from seanmcc-msft seanmcc-msft is a code owner

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft alzimmermsft is a code owner

@gunjansingh-msft gunjansingh-msft Awaiting requested review from gunjansingh-msft gunjansingh-msft is a code owner

@browndav-msft browndav-msft Awaiting requested review from browndav-msft browndav-msft is a code owner

Assignees
No one assigned
Labels
Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ibrandes @kyleknap