Tessl Tile for pypi/azure-data-tables@12.7.0

or run

npx @tessl/cli init

Version

Tile

Overview

Evals

Files

docs

async-operations.md batch-operations.md entity-data-types.md error-handling.md index.md security-access-control.md service-management.md table-operations.md

security-access-control.mddocs/

0
# Security and Access Control
1

2
Shared Access Signature (SAS) generation, permission management, and access control capabilities for secure, time-limited access to Azure Tables resources.
3

4
## Capabilities
5

6
### Account-Level SAS Generation
7

8
Generate account-level shared access signatures for broad resource access across the entire storage account.
9

10
```python { .api }
11
def generate_account_sas(
12
    credential: AzureNamedKeyCredential,
13
    resource_types: ResourceTypes,
14
    permission: Union[str, AccountSasPermissions],
15
    expiry: Union[datetime, str],
16
    *,
17
    start: Union[datetime, str] = None,
18
    ip_address_or_range: str = None,
19
    protocol: Union[SASProtocol, str] = None
20
) -> str:
21
    """
22
    Generate account-level shared access signature.
23

24
    Parameters:
25
    - credential: Account key credential for signing
26
    - resource_types: Accessible resource types (service, container, object)
27
    - permission: Account-level permissions
28
    - expiry: Expiration time for the SAS token
29
    - start: Optional start time (defaults to current time)
30
    - ip_address_or_range: Optional IP address restrictions
31
    - protocol: Optional protocol restrictions (HTTPS/HTTP)
32

33
    Returns:
34
    SAS token string for account-level access
35
    """
36
```
37

38
#### Usage Example
39

40
```python
41
from azure.data.tables import generate_account_sas, ResourceTypes, AccountSasPermissions, SASProtocol
42
from azure.core.credentials import AzureNamedKeyCredential
43
from datetime import datetime, timedelta
44

45
# Create credential
46
credential = AzureNamedKeyCredential("myaccount", "mykey")
47

48
# Configure resource types
49
resource_types = ResourceTypes(service=True, container=True, object=True)
50

51
# Configure permissions
52
permissions = AccountSasPermissions(
53
    read=True,
54
    write=True,
55
    list=True,
56
    create=True
57
)
58

59
# Generate SAS token
60
sas_token = generate_account_sas(
61
    credential=credential,
62
    resource_types=resource_types,
63
    permission=permissions,
64
    expiry=datetime.utcnow() + timedelta(hours=1),
65
    start=datetime.utcnow(),
66
    protocol=SASProtocol.HTTPS
67
)
68

69
print(f"Account SAS: {sas_token}")
70

71
# Use SAS token with client
72
from azure.data.tables import TableServiceClient
73
sas_client = TableServiceClient(
74
    endpoint="https://myaccount.table.core.windows.net/",
75
    credential=sas_token
76
)
77
```
78

79
### Table-Level SAS Generation
80

81
Generate table-specific shared access signatures for granular access control to individual tables.
82

83
```python { .api }
84
def generate_table_sas(
85
    credential: AzureNamedKeyCredential,
86
    table_name: str,
87
    *,
88
    permission: Union[str, TableSasPermissions] = None,
89
    expiry: Union[datetime, str] = None,
90
    start: Union[datetime, str] = None,
91
    ip_address_or_range: str = None,
92
    policy_id: str = None,
93
    protocol: Union[SASProtocol, str] = None
94
) -> str:
95
    """
96
    Generate table-level shared access signature.
97

98
    Parameters:
99
    - credential: Account key credential for signing
100
    - table_name: Name of the table
101
    - permission: Table-level permissions (optional if using policy_id)
102
    - expiry: Expiration time (optional if using policy_id)
103
    - start: Optional start time
104
    - ip_address_or_range: Optional IP address restrictions
105
    - policy_id: Optional stored access policy ID
106
    - protocol: Optional protocol restrictions
107

108
    Returns:
109
    SAS token string for table-specific access
110
    """
111
```
112

113
#### Usage Example
114

115
```python
116
from azure.data.tables import generate_table_sas, TableSasPermissions, SASProtocol
117
from azure.core.credentials import AzureNamedKeyCredential
118
from datetime import datetime, timedelta
119

120
credential = AzureNamedKeyCredential("myaccount", "mykey")
121

122
# Read-only access
123
read_permissions = TableSasPermissions(read=True)
124
read_sas = generate_table_sas(
125
    credential=credential,
126
    table_name="customers",
127
    permission=read_permissions,
128
    expiry=datetime.utcnow() + timedelta(hours=2),
129
    protocol=SASProtocol.HTTPS
130
)
131

132
# Full access with IP restriction
133
full_permissions = TableSasPermissions(
134
    read=True,
135
    add=True,
136
    update=True,
137
    delete=True
138
)
139
full_sas = generate_table_sas(
140
    credential=credential,
141
    table_name="orders",
142
    permission=full_permissions,
143
    expiry=datetime.utcnow() + timedelta(hours=1),
144
    ip_address_or_range="192.168.1.0/24"
145
)
146

147
# Using stored access policy
148
policy_sas = generate_table_sas(
149
    credential=credential,
150
    table_name="products",
151
    policy_id="read-policy"  # References stored policy
152
)
153

154
# Use table SAS with client
155
from azure.data.tables import TableClient
156
table_client = TableClient(
157
    endpoint="https://myaccount.table.core.windows.net/",
158
    table_name="customers",
159
    credential=read_sas
160
)
161
```
162

163
### Permission Models
164

165
Define granular permissions for different access levels and resource types.
166

167
```python { .api }
168
class AccountSasPermissions:
169
    """
170
    Account-level SAS permissions for broad resource access.
171
    """
172
    
173
    def __init__(
174
        self,
175
        read: bool = False,
176
        write: bool = False,
177
        delete: bool = False,
178
        list: bool = False,
179
        add: bool = False,
180
        create: bool = False,
181
        update: bool = False,
182
        process: bool = False
183
    ):
184
        """
185
        Initialize account permissions.
186

187
        Parameters:
188
        - read: Read resources and metadata
189
        - write: Write to resources
190
        - delete: Delete resources
191
        - list: List resources
192
        - add: Add new resources
193
        - create: Create new resources
194
        - update: Update existing resources
195
        - process: Process queue messages
196
        """
197

198
    @classmethod
199
    def from_string(cls, permission: str, **kwargs) -> "AccountSasPermissions":
200
        """
201
        Create permissions from string representation.
202

203
        Parameters:
204
        - permission: String like "rwdlacup" where each character represents:
205
          r=read, w=write, d=delete, l=list, a=add, c=create, u=update, p=process
206

207
        Returns:
208
        AccountSasPermissions instance
209
        """
210

211
class TableSasPermissions:
212
    """
213
    Table-level SAS permissions for entity operations.
214
    """
215
    
216
    def __init__(
217
        self,
218
        read: bool = False,
219
        add: bool = False,
220
        update: bool = False,
221
        delete: bool = False
222
    ):
223
        """
224
        Initialize table permissions.
225

226
        Parameters:
227
        - read: Get and query entities
228
        - add: Insert new entities
229
        - update: Update existing entities
230
        - delete: Delete entities
231
        """
232

233
    @classmethod
234
    def from_string(cls, permission: str, **kwargs) -> "TableSasPermissions":
235
        """
236
        Create permissions from string representation.
237

238
        Parameters:
239
        - permission: String like "raud" where each character represents:
240
          r=read, a=add, u=update, d=delete
241

242
        Returns:
243
        TableSasPermissions instance
244
        """
245

246
class ResourceTypes:
247
    """
248
    Resource types accessible with account SAS.
249
    """
250
    
251
    def __init__(
252
        self,
253
        service: bool = False,
254
        container: bool = False,
255
        object: bool = False
256
    ):
257
        """
258
        Initialize resource types.
259

260
        Parameters:
261
        - service: Service-level APIs (get/set service properties, stats)
262
        - container: Container-level APIs (create/delete tables, list)
263
        - object: Object-level APIs (entity operations)
264
        """
265

266
    @classmethod
267
    def from_string(cls, string: str) -> "ResourceTypes":
268
        """
269
        Create resource types from string representation.
270

271
        Parameters:
272
        - string: String like "sco" where each character represents:
273
          s=service, c=container, o=object
274

275
        Returns:
276
        ResourceTypes instance
277
        """
278
```
279

280
#### Usage Example
281

282
```python
283
from azure.data.tables import AccountSasPermissions, TableSasPermissions, ResourceTypes
284

285
# Create permissions from individual flags
286
account_perms = AccountSasPermissions(
287
    read=True,
288
    write=True,
289
    list=True,
290
    create=True
291
)
292

293
table_perms = TableSasPermissions(
294
    read=True,
295
    add=True,
296
    update=True
297
)
298

299
resource_types = ResourceTypes(
300
    service=True,
301
    container=True,
302
    object=True
303
)
304

305
# Create permissions from strings
306
account_perms = AccountSasPermissions.from_string("rwlc")
307
table_perms = TableSasPermissions.from_string("rau")  
308
resource_types = ResourceTypes.from_string("sco")
309

310
print(f"Account permissions: read={account_perms.read}, write={account_perms.write}")
311
print(f"Table permissions: add={table_perms.add}, delete={table_perms.delete}")
312
```
313

314
### Protocol and IP Restrictions
315

316
Control access based on network protocols and IP address ranges for enhanced security.
317

318
```python { .api }
319
class SASProtocol(Enum):
320
    """
321
    Allowed protocols for SAS access.
322
    """
323
    
324
    HTTPS = "https"  # HTTPS protocol only (recommended)
325
    HTTP = "http"    # HTTP protocol (less secure)
326
```
327

328
#### Usage Example
329

330
```python
331
from azure.data.tables import generate_table_sas, TableSasPermissions, SASProtocol
332
from azure.core.credentials import AzureNamedKeyCredential
333
from datetime import datetime, timedelta
334

335
credential = AzureNamedKeyCredential("myaccount", "mykey")
336

337
# HTTPS-only access
338
secure_sas = generate_table_sas(
339
    credential=credential,
340
    table_name="sensitive_data",
341
    permission=TableSasPermissions(read=True),
342
    expiry=datetime.utcnow() + timedelta(hours=1),
343
    protocol=SASProtocol.HTTPS
344
)
345

346
# IP address restrictions
347
restricted_sas = generate_table_sas(
348
    credential=credential,
349
    table_name="internal_data",
350
    permission=TableSasPermissions(read=True, add=True),
351
    expiry=datetime.utcnow() + timedelta(hours=2),
352
    ip_address_or_range="10.0.0.0/8",  # Internal network only
353
    protocol=SASProtocol.HTTPS
354
)
355

356
# Single IP address
357
single_ip_sas = generate_table_sas(
358
    credential=credential,
359
    table_name="admin_data",
360
    permission=TableSasPermissions(read=True, add=True, update=True, delete=True),
361
    expiry=datetime.utcnow() + timedelta(minutes=30),
362
    ip_address_or_range="203.0.113.5",  # Specific admin workstation
363
    protocol=SASProtocol.HTTPS
364
)
365
```
366

367
### Stored Access Policies
368

369
Manage reusable access policy definitions for consistent permission management and easy revocation.
370

371
```python { .api }
372
class TableAccessPolicy:
373
    """
374
    Stored access policy for table-level permissions.
375
    Enables centralized policy management and easy revocation.
376
    """
377
    
378
    def __init__(
379
        self,
380
        start: Union[datetime, str] = None,
381
        expiry: Union[datetime, str] = None,
382
        permission: str = None
383
    ):
384
        """
385
        Initialize access policy.
386

387
        Parameters:
388
        - start: Policy start time (optional)
389
        - expiry: Policy expiration time (optional)  
390
        - permission: Permission string (r=read, a=add, u=update, d=delete)
391
        """
392
```
393

394
#### Usage Example
395

396
```python
397
from azure.data.tables import TableClient, TableAccessPolicy
398
from datetime import datetime, timedelta
399

400
table_client = TableClient.from_connection_string(conn_str, "products")
401

402
# Create access policies
403
read_policy = TableAccessPolicy(
404
    start=datetime.utcnow(),
405
    expiry=datetime.utcnow() + timedelta(days=7),
406
    permission="r"  # read-only
407
)
408

409
admin_policy = TableAccessPolicy(
410
    start=datetime.utcnow(),
411
    expiry=datetime.utcnow() + timedelta(hours=2),
412
    permission="raud"  # full access
413
)
414

415
# Set policies on table
416
table_client.set_table_access_policy({
417
    "weekly-read": read_policy,
418
    "admin-access": admin_policy
419
})
420

421
# Generate SAS using stored policy
422
from azure.data.tables import generate_table_sas
423
from azure.core.credentials import AzureNamedKeyCredential
424

425
credential = AzureNamedKeyCredential("myaccount", "mykey")
426
policy_sas = generate_table_sas(
427
    credential=credential,
428
    table_name="products",
429
    policy_id="weekly-read"  # References the stored policy
430
)
431

432
# Revoke access by deleting policy
433
table_client.set_table_access_policy({
434
    "weekly-read": None,  # Delete this policy
435
    "admin-access": admin_policy  # Keep this one
436
})
437

438
# All SAS tokens using the deleted policy are now invalid
439
```
440

441
### Authentication Patterns
442

443
Common authentication and authorization patterns for different scenarios.
444

445
#### Usage Example
446

447
```python
448
from azure.data.tables import TableServiceClient, TableClient
449
from azure.core.credentials import AzureNamedKeyCredential
450
from azure.identity import DefaultAzureCredential
451

452
# Connection string (development)
453
service_client = TableServiceClient.from_connection_string(
454
    "DefaultEndpointsProtocol=https;AccountName=dev;AccountKey=key=="
455
)
456

457
# Account key credential (service accounts)
458
credential = AzureNamedKeyCredential("prod_account", "prod_key")
459
service_client = TableServiceClient(
460
    endpoint="https://prod_account.table.core.windows.net/",
461
    credential=credential
462
)
463

464
# Azure AD authentication (production)
465
aad_credential = DefaultAzureCredential()
466
service_client = TableServiceClient(
467
    endpoint="https://prod_account.table.core.windows.net/",
468
    credential=aad_credential
469
)
470

471
# SAS token authentication (delegated access)
472
sas_token = "sv=2019-02-02&ss=t&srt=sco&sp=rwdlacup&se=2023-12-31T23:59:59Z&sig=..."
473
service_client = TableServiceClient(
474
    endpoint="https://account.table.core.windows.net/",
475
    credential=sas_token
476
)
477

478
# Table-specific SAS
479
table_sas = "sv=2019-02-02&tn=customers&sp=r&se=2023-12-31T23:59:59Z&sig=..."
480
table_client = TableClient(
481
    endpoint="https://account.table.core.windows.net/",
482
    table_name="customers",
483
    credential=table_sas
484
)
485
```
486

487
## Best Practices
488

489
### Security Recommendations
490

491
1. **Use HTTPS Only**: Always specify `SASProtocol.HTTPS` for production
492
2. **Minimize Permissions**: Grant only the permissions necessary for the task
493
3. **Short Expiration Times**: Use the shortest reasonable expiration time
494
4. **IP Restrictions**: Restrict access to known IP ranges when possible
495
5. **Stored Policies**: Use stored access policies for easier management and revocation
496
6. **Azure AD**: Prefer Azure AD authentication over account keys in production
497
7. **Key Rotation**: Regularly rotate account keys and update stored policies
498

499
### Example Secure Configuration
500

501
```python
502
from azure.data.tables import generate_table_sas, TableSasPermissions, SASProtocol
503
from azure.core.credentials import AzureNamedKeyCredential
504
from datetime import datetime, timedelta
505

506
# Secure SAS generation
507
def create_secure_table_sas(account_name: str, account_key: str, table_name: str):
508
    credential = AzureNamedKeyCredential(account_name, account_key)
509
    
510
    return generate_table_sas(
511
        credential=credential,
512
        table_name=table_name,
513
        permission=TableSasPermissions(read=True),  # Minimal permissions
514
        expiry=datetime.utcnow() + timedelta(hours=1),  # Short duration
515
        start=datetime.utcnow(),  # Immediate start
516
        protocol=SASProtocol.HTTPS,  # HTTPS only
517
        ip_address_or_range="10.0.0.0/8"  # Internal network only
518
    )
519
```

Version

Tile

Files

security-access-control.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}docs/

security-access-control.mddocs/