or run

tessl search
Log in

Version

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
golangpkg:golang/github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2@v2.0.1

docs

error-handling.mdindex.mdqueue-client.mdsas.mdservice-client.md
tile.json

tessl/golang-github-com-azure-azure-sdk-for-go-sdk-storage-azqueue-v2

tessl install tessl/golang-github-com-azure-azure-sdk-for-go-sdk-storage-azqueue-v2@2.0.1

Azure Queue Storage SDK for Go provides comprehensive client library for interacting with Azure's cloud-based message queue service including queue management, message operations, and multiple authentication methods.

sas.mddocs/

Shared Access Signatures (SAS)

The SAS package (github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2/sas) provides functionality for generating Shared Access Signature tokens that grant limited access to Azure Queue Storage resources. SAS tokens enable secure delegation of access without sharing account keys.

Capabilities

Account-Level SAS

Generate SAS tokens for account-level access across multiple resources and services.

// Account SAS signature values
type AccountSignatureValues struct {
    // SAS version (defaults to "2020-02-10")
    Version string `param:"sv"`

    // Protocol restriction (HTTPS or HTTPS+HTTP)
    Protocol Protocol `param:"spr"`

    // Start time for SAS validity (omitted if zero)
    StartTime time.Time `param:"st"`

    // Expiry time for SAS validity (omitted if zero)
    ExpiryTime time.Time `param:"se"`

    // Permissions string (use AccountPermissions.String())
    Permissions string `param:"sp"`

    // IP range restriction
    IPRange IPRange `param:"sip"`

    // Resource types string (use AccountResourceTypes.String())
    ResourceTypes string `param:"srt"`
}

// Sign with shared key credential
func (v AccountSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKeyCredential) (QueryParameters, error)

// Account permissions
type AccountPermissions struct {
    Read                  bool
    Write                 bool
    Delete                bool
    DeletePreviousVersion bool
    PermanentDelete       bool
    List                  bool
    Add                   bool
    Create                bool
    Update                bool
    Process               bool
    Tag                   bool
    FilterByTags          bool
    SetImmutabilityPolicy bool
}

// Produce SAS permissions string
func (p *AccountPermissions) String() string

// Account resource types
type AccountResourceTypes struct {
    Service   bool // Queue service operations
    Container bool // Queue operations
    Object    bool // Message operations
}

// Produce resource types string
func (rt *AccountResourceTypes) String() string

Usage Example:

import (
    "time"
    "github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2"
    "github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2/sas"
)

// Create shared key credential
cred, err := azqueue.NewSharedKeyCredential("myaccount", "mykey")
if err != nil {
    // handle error
}

// Define permissions
permissions := sas.AccountPermissions{
    Read:   true,
    Write:  true,
    List:   true,
    Add:    true,
    Create: true,
}

// Define resource types
resourceTypes := sas.AccountResourceTypes{
    Service:   true,
    Container: true,
    Object:    true,
}

// Create signature values
signatureValues := sas.AccountSignatureValues{
    Version:       sas.Version, // "2020-02-10"
    Protocol:      sas.ProtocolHTTPS,
    StartTime:     time.Now(),
    ExpiryTime:    time.Now().Add(24 * time.Hour),
    Permissions:   permissions.String(),
    ResourceTypes: resourceTypes.String(),
}

// Sign to produce query parameters
queryParams, err := signatureValues.SignWithSharedKey(cred)
if err != nil {
    // handle error
}

// Build SAS URL
sasURL := fmt.Sprintf("https://myaccount.queue.core.windows.net/?%s", queryParams.Encode())

// Use SAS URL to create client
client, err := azqueue.NewServiceClientWithNoCredential(sasURL, nil)

Account Permission Flags:

  • Read - Read permissions for all resource types
  • Write - Write permissions for all resource types
  • Delete - Delete permissions
  • DeletePreviousVersion - Delete previous version
  • PermanentDelete - Permanent delete
  • List - List permissions
  • Add - Add messages to queues
  • Create - Create queues
  • Update - Update messages
  • Process - Process messages (dequeue)
  • Tag - Tag operations
  • FilterByTags - Filter by tags
  • SetImmutabilityPolicy - Set immutability policy

Resource Type Flags:

  • Service - Access to service-level APIs (properties, statistics)
  • Container - Access to queue-level APIs (create, delete, list queues)
  • Object - Access to message-level APIs (enqueue, dequeue, peek, update, delete)

Queue-Level SAS

Generate SAS tokens for specific queue access.

// Queue SAS signature values
type QueueSignatureValues struct {
    // SAS version (defaults to "2020-02-10")
    Version string `param:"sv"`

    // Protocol restriction (HTTPS or HTTPS+HTTP)
    Protocol Protocol `param:"spr"`

    // Start time for SAS validity (omitted if zero)
    StartTime time.Time `param:"st"`

    // Expiry time for SAS validity (omitted if zero)
    ExpiryTime time.Time `param:"se"`

    // Permissions string (use QueuePermissions.String())
    Permissions string `param:"sp"`

    // IP range restriction
    IPRange IPRange `param:"sip"`

    // Stored access policy identifier
    Identifier string `param:"si"`

    // Queue name
    QueueName string

    // Azure AD authorized object ID
    AuthorizedObjectID string

    // Azure AD unauthorized object ID
    UnauthorizedObjectID string

    // Correlation ID
    CorrelationID string

    // Signed delegated user object ID
    SignedDelegatedUserObjectID string
}

// Sign with shared key credential
func (v QueueSignatureValues) SignWithSharedKey(sharedKeyCredential *SharedKeyCredential) (QueryParameters, error)

// Sign with user delegation credential
func (v QueueSignatureValues) SignWithUserDelegation(userDelegationCredential *UserDelegationCredential) (QueryParameters, error)

// Queue permissions
type QueuePermissions struct {
    Read    bool // Peek messages
    Add     bool // Enqueue messages
    Update  bool // Update messages
    Process bool // Dequeue and delete messages
}

// Produce SAS permissions string
func (p *QueuePermissions) String() string

Usage Example (Shared Key):

import (
    "time"
    "github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2"
    "github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2/sas"
)

// Create shared key credential
cred, err := azqueue.NewSharedKeyCredential("myaccount", "mykey")
if err != nil {
    // handle error
}

// Define permissions
permissions := sas.QueuePermissions{
    Read:    true,
    Add:     true,
    Update:  true,
    Process: true,
}

// Create signature values
signatureValues := sas.QueueSignatureValues{
    Version:     sas.Version,
    Protocol:    sas.ProtocolHTTPS,
    StartTime:   time.Now(),
    ExpiryTime:  time.Now().Add(1 * time.Hour),
    Permissions: permissions.String(),
    QueueName:   "myqueue",
}

// Sign to produce query parameters
queryParams, err := signatureValues.SignWithSharedKey(cred)
if err != nil {
    // handle error
}

// Build SAS URL
sasURL := fmt.Sprintf("https://myaccount.queue.core.windows.net/myqueue?%s", queryParams.Encode())

// Use SAS URL to create queue client
queueClient, err := azqueue.NewQueueClientWithNoCredential(sasURL, nil)

Usage Example (User Delegation):

import (
    "time"
    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
    "github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2"
    "github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2/sas"
)

// Get user delegation key from service (requires Azure AD authentication)
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
    // handle error
}

serviceClient, err := azqueue.NewServiceClient(
    "https://myaccount.queue.core.windows.net/",
    cred,
    nil,
)
if err != nil {
    // handle error
}

// Get user delegation credential
// Note: This requires calling GetUserDelegationKey on the service
// (not shown in this example as it's a Blob/Queue service-level operation)
var userDelegationCred *sas.UserDelegationCredential // obtained from service

// Create signature values
permissions := sas.QueuePermissions{
    Read:    true,
    Add:     true,
    Process: true,
}

signatureValues := sas.QueueSignatureValues{
    Version:     sas.Version,
    Protocol:    sas.ProtocolHTTPS,
    StartTime:   time.Now(),
    ExpiryTime:  time.Now().Add(1 * time.Hour),
    Permissions: permissions.String(),
    QueueName:   "myqueue",
}

// Sign with user delegation credential
queryParams, err := signatureValues.SignWithUserDelegation(userDelegationCred)
if err != nil {
    // handle error
}

sasURL := fmt.Sprintf("https://myaccount.queue.core.windows.net/myqueue?%s", queryParams.Encode())

Queue Permission Flags:

  • Read - Read/peek messages
  • Add - Add/enqueue messages
  • Update - Update messages
  • Process - Process messages (dequeue and delete)

Using Stored Access Policy:

// Reference a stored access policy by identifier
signatureValues := sas.QueueSignatureValues{
    Version:    sas.Version,
    Identifier: "policy1", // References queue's stored access policy
    QueueName:  "myqueue",
}

queryParams, err := signatureValues.SignWithSharedKey(cred)
// When Identifier is set, Permissions, StartTime, and ExpiryTime come from the stored policy

Common SAS Types

Protocol

Protocol restriction for SAS tokens.

type Protocol string

const (
    // HTTPS only
    ProtocolHTTPS Protocol = "https"

    // Both HTTPS and HTTP
    ProtocolHTTPSandHTTP Protocol = "https,http"
)

IP Range

IP address range restriction for SAS tokens.

type IPRange struct {
    // Start IP address (empty if not specified)
    Start net.IP

    // End IP address (empty if not specified)
    End net.IP
}

// String representation of IP range
func (ipr *IPRange) String() string

Usage:

import "net"

// Single IP
ipRange := sas.IPRange{
    Start: net.ParseIP("192.168.1.1"),
}

// IP range
ipRange = sas.IPRange{
    Start: net.ParseIP("192.168.1.1"),
    End:   net.ParseIP("192.168.1.255"),
}

signatureValues.IPRange = ipRange

Query Parameters

Represents parsed SAS query parameters.

type QueryParameters struct {
    // unexported fields
}

// Create from URL values
func NewQueryParameters(values url.Values) QueryParameters

// Encode as URL query string
func (p *QueryParameters) Encode() string

// Getter methods
func (p *QueryParameters) Version() string
func (p *QueryParameters) Services() string
func (p *QueryParameters) ResourceTypes() string
func (p *QueryParameters) Protocol() Protocol
func (p *QueryParameters) StartTime() time.Time
func (p *QueryParameters) ExpiryTime() time.Time
func (p *QueryParameters) IPRange() IPRange
func (p *QueryParameters) Identifier() string
func (p *QueryParameters) Permissions() string
func (p *QueryParameters) Signature() string
func (p *QueryParameters) SignedOID() string
func (p *QueryParameters) SignedTID() string
func (p *QueryParameters) SignedStart() time.Time
func (p *QueryParameters) SignedExpiry() time.Time
func (p *QueryParameters) SignedService() string
func (p *QueryParameters) SignedVersion() string
func (p *QueryParameters) AuthorizedObjectID() string
func (p *QueryParameters) UnauthorizedObjectID() string
func (p *QueryParameters) SignedCorrelationID() string
func (p *QueryParameters) CacheControl() string
func (p *QueryParameters) ContentDisposition() string
func (p *QueryParameters) ContentEncoding() string
func (p *QueryParameters) ContentLanguage() string
func (p *QueryParameters) ContentType() string

// Resource type (for service SAS)
func (p *QueryParameters) Resource() string

// Snapshot time (for blob snapshots, not used for queues)
func (p *QueryParameters) SnapshotTime() time.Time

// Signed directory depth (for hierarchical namespace, not used for queues)
func (p *QueryParameters) SignedDirectoryDepth() string

Usage:

import "net/url"

// Parse SAS parameters from URL
u, _ := url.Parse("https://account.queue.core.windows.net/queue?sv=2020-02-10&se=2024-01-01T00:00:00Z&sp=r&sig=...")
queryParams := sas.NewQueryParameters(u.Query())

fmt.Printf("Version: %s\n", queryParams.Version())
fmt.Printf("Permissions: %s\n", queryParams.Permissions())
fmt.Printf("Expiry: %s\n", queryParams.ExpiryTime().Format(time.RFC3339))

// Encode back to query string
queryString := queryParams.Encode()

URL Parsing and Construction

Parse and construct queue URLs with SAS tokens.

// URL components
type URLParts struct {
    // URL scheme (e.g., "https://")
    Scheme string

    // Host (e.g., "account.queue.core.windows.net")
    Host string

    // IP endpoint style info (for storage emulator)
    IPEndpointStyleInfo IPEndpointStyleInfo

    // Queue name (empty if service-level URL)
    QueueName string

    // SAS query parameters
    SAS QueryParameters

    // Other query parameters
    UnparsedParams string
}

// Parse URL into components
func ParseURL(u string) (URLParts, error)

// Reconstruct URL from components
func (up URLParts) String() string

// IP endpoint style info
type IPEndpointStyleInfo struct {
    // Account name (empty if not IP endpoint style)
    AccountName string
}

Usage:

// Parse queue URL
parts, err := sas.ParseURL("https://myaccount.queue.core.windows.net/myqueue?sv=2020-02-10&sp=r&sig=...")
if err != nil {
    // handle error
}

fmt.Printf("Scheme: %s\n", parts.Scheme)
fmt.Printf("Host: %s\n", parts.Host)
fmt.Printf("Queue: %s\n", parts.QueueName)
fmt.Printf("SAS Version: %s\n", parts.SAS.Version())

// Modify and reconstruct
parts.QueueName = "newqueue"
newURL := parts.String()

IP Endpoint Style (Storage Emulator):

// Parse IP endpoint style URL
parts, err := sas.ParseURL("https://10.132.141.33/myaccount/myqueue")
if err != nil {
    // handle error
}

if parts.IPEndpointStyleInfo.AccountName != "" {
    fmt.Printf("Account: %s\n", parts.IPEndpointStyleInfo.AccountName)
}

Credential Types

SharedKeyCredential

type SharedKeyCredential = exported.SharedKeyCredential

Account credentials for signing SAS tokens with shared key authentication.

UserDelegationCredential

type UserDelegationCredential = exported.UserDelegationCredential

User delegation credentials for signing SAS tokens with Azure AD authentication.

Constants

const (
    // Default SAS version
    Version = "2020-02-10"
)

SAS Best Practices

  1. Use HTTPS Only: Always use ProtocolHTTPS for production to prevent token interception
  2. Minimal Permissions: Grant only the permissions required for the task
  3. Short Expiry: Use the shortest practical expiry time
  4. IP Restrictions: Add IP range restrictions when clients have known IP addresses
  5. Stored Access Policies: Use stored access policies for queue-level SAS to enable centralized revocation
  6. User Delegation: Prefer user delegation SAS over shared key SAS when using Azure AD authentication

Example: Complete SAS Workflow

import (
    "fmt"
    "time"
    "github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2"
    "github.com/Azure/azure-sdk-for-go/sdk/storage/azqueue/v2/sas"
)

func generateAndUseSAS() error {
    // Create shared key credential
    cred, err := azqueue.NewSharedKeyCredential("myaccount", "mykey")
    if err != nil {
        return err
    }

    // Create service client
    serviceClient, err := azqueue.NewServiceClientWithSharedKeyCredential(
        "https://myaccount.queue.core.windows.net/",
        cred,
        nil,
    )
    if err != nil {
        return err
    }

    // Create queue
    queueClient := serviceClient.NewQueueClient("workqueue")
    _, err = queueClient.Create(context.TODO(), nil)
    if err != nil {
        return err
    }

    // Generate SAS URL for limited access
    permissions := sas.QueuePermissions{
        Add:     true,
        Process: true,
    }

    expiry := time.Now().Add(1 * time.Hour)
    sasURL, err := queueClient.GetSASURL(permissions, expiry, nil)
    if err != nil {
        return err
    }

    // Share sasURL with worker application
    fmt.Printf("SAS URL: %s\n", sasURL)

    // Worker application uses SAS URL (no account key needed)
    workerClient, err := azqueue.NewQueueClientWithNoCredential(sasURL, nil)
    if err != nil {
        return err
    }

    // Worker can add and process messages
    _, err = workerClient.EnqueueMessage(context.TODO(), "task data", nil)
    if err != nil {
        return err
    }

    resp, err := workerClient.DequeueMessage(context.TODO(), nil)
    if err != nil {
        return err
    }

    if len(resp.Messages) > 0 {
        msg := resp.Messages[0]
        // Process message...
        _, err = workerClient.DeleteMessage(context.TODO(), *msg.MessageID, *msg.PopReceipt, nil)
    }

    return nil
}