Azure Data Tables supports multiple authentication methods including Named Key credentials, SAS credentials, Token credentials, and convenient connection string parsing.
Authenticate using the storage account name and access key for full account access.
/**
* Named key credential for shared key authentication
* Provides full access to the storage account
*/
class AzureNamedKeyCredential {
/** Storage account name */
readonly name: string;
/** Storage account access key */
readonly key: string;
/**
* Creates a named key credential
* @param name - Storage account name
* @param key - Storage account access key (primary or secondary)
*/
constructor(name: string, key: string);
/**
* Updates the account key
* @param key - New access key
*/
update(key: string): void;
}Usage Examples:
import { TableServiceClient, TableClient, AzureNamedKeyCredential } from "@azure/data-tables";
// Create named key credential
const credential = new AzureNamedKeyCredential("mystorageaccount", "myaccesskey");
// Use with service client for account-wide operations
const serviceClient = new TableServiceClient(
"https://mystorageaccount.table.core.windows.net",
credential
);
// Use with table client for table-specific operations
const tableClient = new TableClient(
"https://mystorageaccount.table.core.windows.net",
"MyTable",
credential
);
// Update the key if needed (e.g., key rotation)
credential.update("mynewccesskey");Authenticate using Shared Access Signature tokens for time-limited, permission-restricted access.
/**
* SAS credential for shared access signature authentication
* Provides limited access based on SAS permissions and constraints
*/
class AzureSASCredential {
/** SAS signature string */
readonly signature: string;
/**
* Creates a SAS credential
* @param signature - Complete SAS query string (without leading '?')
*/
constructor(signature: string);
/**
* Updates the SAS signature
* @param signature - New SAS query string
*/
update(signature: string): void;
}Usage Examples:
import { TableServiceClient, TableClient, AzureSASCredential } from "@azure/data-tables";
// SAS token (typically generated elsewhere or received from another service)
const sasToken = "sv=2022-11-02&ss=t&srt=sco&sp=rwdlacup&se=2024-01-01T00:00:00Z&st=2023-01-01T00:00:00Z&spr=https&sig=signature";
// Create SAS credential
const sasCredential = new AzureSASCredential(sasToken);
// Use with service client (if SAS has service-level permissions)
const serviceClient = new TableServiceClient(
"https://mystorageaccount.table.core.windows.net",
sasCredential
);
// Use with table client (most common for table-specific SAS)
const tableClient = new TableClient(
"https://mystorageaccount.table.core.windows.net",
"MyTable",
sasCredential
);
// Update SAS if needed (e.g., token renewal)
sasCredential.update("new-sas-token-string");Authenticate using Azure Active Directory tokens for enterprise authentication scenarios.
/**
* Token credential interface for Azure AD authentication
* Implemented by various credential types from @azure/identity
*/
interface TokenCredential {
/**
* Gets an access token for the specified scopes
* @param scopes - Array of permission scopes
* @param options - Optional parameters for token acquisition
* @returns Promise resolving to access token
*/
getToken(scopes: string[], options?: GetTokenOptions): Promise<AccessToken>;
}
interface AccessToken {
/** The access token string */
token: string;
/** Token expiration timestamp */
expiresOnTimestamp: number;
}
interface GetTokenOptions {
/** Abort signal for canceling token requests */
abortSignal?: AbortSignalLike;
/** Claims challenge for conditional access scenarios */
claims?: string;
/** Enable confidential client assertions */
enableCae?: boolean;
/** Tenant ID for multi-tenant scenarios */
tenantId?: string;
}Usage Examples:
import { TableServiceClient, TableClient } from "@azure/data-tables";
import { DefaultAzureCredential, ClientSecretCredential, ManagedIdentityCredential } from "@azure/identity";
// Using DefaultAzureCredential (recommended for most scenarios)
const defaultCredential = new DefaultAzureCredential();
const serviceClient = new TableServiceClient(
"https://mystorageaccount.table.core.windows.net",
defaultCredential
);
// Using specific credential types
const clientSecretCredential = new ClientSecretCredential(
"tenant-id",
"client-id",
"client-secret"
);
const tableClient = new TableClient(
"https://mystorageaccount.table.core.windows.net",
"MyTable",
clientSecretCredential
);
// Using Managed Identity (for Azure resources)
const managedIdentityCredential = new ManagedIdentityCredential();
const miTableClient = new TableClient(
"https://mystorageaccount.table.core.windows.net",
"MyTable",
managedIdentityCredential
);Convenient factory methods for creating clients from connection strings that contain all necessary authentication information.
/**
* Creates a TableServiceClient from a connection string
* @param connectionString - Azure Storage connection string
* @param options - Optional client configuration
* @returns Configured TableServiceClient instance
*/
static fromConnectionString(connectionString: string, options?: TableServiceClientOptions): TableServiceClient;
/**
* Creates a TableClient from a connection string
* @param connectionString - Azure Storage connection string
* @param tableName - Name of the table to operate on
* @param options - Optional client configuration
* @returns Configured TableClient instance
*/
static fromConnectionString(connectionString: string, tableName: string, options?: TableClientOptions): TableClient;Connection String Formats:
// Storage account with access key
const connectionString = "DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=myaccesskey;EndpointSuffix=core.windows.net";
// Storage account with SAS token
const sasConnectionString = "TableEndpoint=https://mystorageaccount.table.core.windows.net/;SharedAccessSignature=sv=2022-11-02&ss=t&srt=sco&sp=rwdlacup&se=2024-01-01T00:00:00Z&sig=signature";
// Development storage emulator
const emulatorConnectionString = "UseDevelopmentStorage=true";
// Custom endpoint with access key
const customEndpointConnectionString = "DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=myaccesskey;TableEndpoint=https://custom.endpoint.com";Usage Examples:
import { TableServiceClient, TableClient } from "@azure/data-tables";
const connectionString = "DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=myaccesskey;EndpointSuffix=core.windows.net";
// Create service client from connection string
const serviceClient = TableServiceClient.fromConnectionString(connectionString);
// Create table client from connection string
const tableClient = TableClient.fromConnectionString(connectionString, "MyTable");
// With custom options
const tableClientWithOptions = TableClient.fromConnectionString(connectionString, "MyTable", {
allowInsecureConnection: false,
retryOptions: {
maxRetries: 3,
retryDelayInMs: 1000
}
});
// Using development storage emulator
const emulatorClient = TableClient.fromConnectionString("UseDevelopmentStorage=true", "TestTable");For publicly accessible resources or SAS URLs embedded in the endpoint.
/**
* Creates clients without explicit credentials for public access or SAS-embedded URLs
*/
// Service client with no credential (for public access or SAS in URL)
const serviceClient = new TableServiceClient("https://mystorageaccount.table.core.windows.net");
// Table client with no credential
const tableClient = new TableClient("https://mystorageaccount.table.core.windows.net", "MyTable");Usage Examples:
// URL with embedded SAS token
const urlWithSas = "https://mystorageaccount.table.core.windows.net/MyTable?sv=2022-11-02&ss=t&srt=o&sp=r&se=2024-01-01T00:00:00Z&sig=signature";
// Create client without separate credential
const tableClient = new TableClient(urlWithSas, "MyTable");
// The SAS token in the URL provides authentication
const entities = tableClient.listEntities();
for await (const entity of entities) {
console.log(entity);
}Common configuration options available for all authentication methods.
interface TableServiceClientOptions {
/** Additional HTTP pipeline policies */
additionalPolicies?: AdditionalPolicyConfig[];
/** Allow HTTP connections (insecure) */
allowInsecureConnection?: boolean;
/** Custom HTTP client implementation */
httpClient?: HttpClient;
/** Proxy server configuration */
proxyOptions?: ProxySettings;
/** Retry policy settings */
retryOptions?: PipelineRetryOptions;
/** Telemetry configuration */
telemetryOptions?: TelemetryOptions;
/** User agent policy settings */
userAgentOptions?: UserAgentPolicyOptions;
}
type TableClientOptions = TableServiceClientOptions;
interface ProxySettings {
/** Proxy server host */
host: string;
/** Proxy server port */
port: number;
/** Proxy authentication username (optional) */
username?: string;
/** Proxy authentication password (optional) */
password?: string;
}
interface PipelineRetryOptions {
/** Maximum number of retry attempts */
maxRetries?: number;
/** Initial retry delay in milliseconds */
retryDelayInMs?: number;
/** Maximum retry delay in milliseconds */
maxRetryDelayInMs?: number;
/** Exponential backoff multiplier */
retryMode?: "exponential" | "fixed";
}
interface TelemetryOptions {
/** Application ID for telemetry correlation */
applicationId?: string;
/** Disable telemetry collection */
disabled?: boolean;
}
interface UserAgentPolicyOptions {
/** Additional user agent string prefix */
userAgentPrefix?: string;
}Development vs Production:
// Development: Use connection strings or development storage
const devClient = TableClient.fromConnectionString("UseDevelopmentStorage=true", "TestTable");
// Production: Use managed identity or service principals
import { DefaultAzureCredential } from "@azure/identity";
const prodCredential = new DefaultAzureCredential();
const prodClient = new TableClient(
"https://prodaccount.table.core.windows.net",
"ProductionTable",
prodCredential
);Key Rotation:
// Named key credential with rotation support
const credential = new AzureNamedKeyCredential("account", "key1");
const client = new TableClient("https://account.table.core.windows.net", "Table", credential);
// Later, when rotating keys
credential.update("key2"); // Client automatically uses new keyLeast Privilege Access:
import { generateTableSas } from "@azure/data-tables";
// Generate limited SAS for specific operations
const readOnlySas = generateTableSas("ReadOnlyTable", namedKeyCredential, {
permissions: { query: true, add: false, update: false, delete: false },
expiresOn: new Date(Date.now() + 60 * 60 * 1000) // 1 hour
});
// Use limited SAS credential
const limitedClient = new TableClient(
"https://account.table.core.windows.net",
"ReadOnlyTable",
new AzureSASCredential(readOnlySas)
);// Using environment variables for configuration
const connectionString = process.env.AZURE_STORAGE_CONNECTION_STRING;
if (!connectionString) {
throw new Error("AZURE_STORAGE_CONNECTION_STRING environment variable is required");
}
const client = TableClient.fromConnectionString(connectionString, "MyTable", {
retryOptions: {
maxRetries: parseInt(process.env.AZURE_RETRY_COUNT || "3"),
retryDelayInMs: parseInt(process.env.AZURE_RETRY_DELAY || "1000")
}
});interface AdditionalPolicyConfig {
/** Custom policy implementation */
policy: any;
/** Position in the HTTP pipeline */
position: "perCall" | "perRetry";
}
interface HttpClient {
/** Send HTTP request method */
sendRequest: (request: any) => Promise<HttpResponse>;
}
interface AbortSignalLike {
/** Indicates if the operation was aborted */
aborted: boolean;
/** Event listener registration for abort events */
addEventListener: (type: "abort", listener: () => void) => void;
/** Event listener removal */
removeEventListener?: (type: "abort", listener: () => void) => void;
}