tessl/pypi-azure-data-tables
Microsoft Azure Data Tables Client Library for Python
90
0.96x
security-access-control.mddocs/
Security and Access Control
Shared Access Signature (SAS) generation, permission management, and access control capabilities for secure, time-limited access to Azure Tables resources.
Capabilities
Account-Level SAS Generation
Generate account-level shared access signatures for broad resource access across the entire storage account.
def generate_account_sas(
credential: AzureNamedKeyCredential,
resource_types: ResourceTypes,
permission: Union[str, AccountSasPermissions],
expiry: Union[datetime, str],
*,
start: Union[datetime, str] = None,
ip_address_or_range: str = None,
protocol: Union[SASProtocol, str] = None
) -> str:
"""
Generate account-level shared access signature.
Parameters:
- credential: Account key credential for signing
- resource_types: Accessible resource types (service, container, object)
- permission: Account-level permissions
- expiry: Expiration time for the SAS token
- start: Optional start time (defaults to current time)
- ip_address_or_range: Optional IP address restrictions
- protocol: Optional protocol restrictions (HTTPS/HTTP)
Returns:
SAS token string for account-level access
"""Usage Example
from azure.data.tables import generate_account_sas, ResourceTypes, AccountSasPermissions, SASProtocol
from azure.core.credentials import AzureNamedKeyCredential
from datetime import datetime, timedelta
# Create credential
credential = AzureNamedKeyCredential("myaccount", "mykey")
# Configure resource types
resource_types = ResourceTypes(service=True, container=True, object=True)
# Configure permissions
permissions = AccountSasPermissions(
read=True,
write=True,
list=True,
create=True
)
# Generate SAS token
sas_token = generate_account_sas(
credential=credential,
resource_types=resource_types,
permission=permissions,
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow(),
protocol=SASProtocol.HTTPS
)
print(f"Account SAS: {sas_token}")
# Use SAS token with client
from azure.data.tables import TableServiceClient
sas_client = TableServiceClient(
endpoint="https://myaccount.table.core.windows.net/",
credential=sas_token
)Table-Level SAS Generation
Generate table-specific shared access signatures for granular access control to individual tables.
def generate_table_sas(
credential: AzureNamedKeyCredential,
table_name: str,
*,
permission: Union[str, TableSasPermissions] = None,
expiry: Union[datetime, str] = None,
start: Union[datetime, str] = None,
ip_address_or_range: str = None,
policy_id: str = None,
protocol: Union[SASProtocol, str] = None
) -> str:
"""
Generate table-level shared access signature.
Parameters:
- credential: Account key credential for signing
- table_name: Name of the table
- permission: Table-level permissions (optional if using policy_id)
- expiry: Expiration time (optional if using policy_id)
- start: Optional start time
- ip_address_or_range: Optional IP address restrictions
- policy_id: Optional stored access policy ID
- protocol: Optional protocol restrictions
Returns:
SAS token string for table-specific access
"""Usage Example
from azure.data.tables import generate_table_sas, TableSasPermissions, SASProtocol
from azure.core.credentials import AzureNamedKeyCredential
from datetime import datetime, timedelta
credential = AzureNamedKeyCredential("myaccount", "mykey")
# Read-only access
read_permissions = TableSasPermissions(read=True)
read_sas = generate_table_sas(
credential=credential,
table_name="customers",
permission=read_permissions,
expiry=datetime.utcnow() + timedelta(hours=2),
protocol=SASProtocol.HTTPS
)
# Full access with IP restriction
full_permissions = TableSasPermissions(
read=True,
add=True,
update=True,
delete=True
)
full_sas = generate_table_sas(
credential=credential,
table_name="orders",
permission=full_permissions,
expiry=datetime.utcnow() + timedelta(hours=1),
ip_address_or_range="192.168.1.0/24"
)
# Using stored access policy
policy_sas = generate_table_sas(
credential=credential,
table_name="products",
policy_id="read-policy" # References stored policy
)
# Use table SAS with client
from azure.data.tables import TableClient
table_client = TableClient(
endpoint="https://myaccount.table.core.windows.net/",
table_name="customers",
credential=read_sas
)Permission Models
Define granular permissions for different access levels and resource types.
class AccountSasPermissions:
"""
Account-level SAS permissions for broad resource access.
"""
def __init__(
self,
read: bool = False,
write: bool = False,
delete: bool = False,
list: bool = False,
add: bool = False,
create: bool = False,
update: bool = False,
process: bool = False
):
"""
Initialize account permissions.
Parameters:
- read: Read resources and metadata
- write: Write to resources
- delete: Delete resources
- list: List resources
- add: Add new resources
- create: Create new resources
- update: Update existing resources
- process: Process queue messages
"""
@classmethod
def from_string(cls, permission: str, **kwargs) -> "AccountSasPermissions":
"""
Create permissions from string representation.
Parameters:
- permission: String like "rwdlacup" where each character represents:
r=read, w=write, d=delete, l=list, a=add, c=create, u=update, p=process
Returns:
AccountSasPermissions instance
"""
class TableSasPermissions:
"""
Table-level SAS permissions for entity operations.
"""
def __init__(
self,
read: bool = False,
add: bool = False,
update: bool = False,
delete: bool = False
):
"""
Initialize table permissions.
Parameters:
- read: Get and query entities
- add: Insert new entities
- update: Update existing entities
- delete: Delete entities
"""
@classmethod
def from_string(cls, permission: str, **kwargs) -> "TableSasPermissions":
"""
Create permissions from string representation.
Parameters:
- permission: String like "raud" where each character represents:
r=read, a=add, u=update, d=delete
Returns:
TableSasPermissions instance
"""
class ResourceTypes:
"""
Resource types accessible with account SAS.
"""
def __init__(
self,
service: bool = False,
container: bool = False,
object: bool = False
):
"""
Initialize resource types.
Parameters:
- service: Service-level APIs (get/set service properties, stats)
- container: Container-level APIs (create/delete tables, list)
- object: Object-level APIs (entity operations)
"""
@classmethod
def from_string(cls, string: str) -> "ResourceTypes":
"""
Create resource types from string representation.
Parameters:
- string: String like "sco" where each character represents:
s=service, c=container, o=object
Returns:
ResourceTypes instance
"""Usage Example
from azure.data.tables import AccountSasPermissions, TableSasPermissions, ResourceTypes
# Create permissions from individual flags
account_perms = AccountSasPermissions(
read=True,
write=True,
list=True,
create=True
)
table_perms = TableSasPermissions(
read=True,
add=True,
update=True
)
resource_types = ResourceTypes(
service=True,
container=True,
object=True
)
# Create permissions from strings
account_perms = AccountSasPermissions.from_string("rwlc")
table_perms = TableSasPermissions.from_string("rau")
resource_types = ResourceTypes.from_string("sco")
print(f"Account permissions: read={account_perms.read}, write={account_perms.write}")
print(f"Table permissions: add={table_perms.add}, delete={table_perms.delete}")Protocol and IP Restrictions
Control access based on network protocols and IP address ranges for enhanced security.
class SASProtocol(Enum):
"""
Allowed protocols for SAS access.
"""
HTTPS = "https" # HTTPS protocol only (recommended)
HTTP = "http" # HTTP protocol (less secure)Usage Example
from azure.data.tables import generate_table_sas, TableSasPermissions, SASProtocol
from azure.core.credentials import AzureNamedKeyCredential
from datetime import datetime, timedelta
credential = AzureNamedKeyCredential("myaccount", "mykey")
# HTTPS-only access
secure_sas = generate_table_sas(
credential=credential,
table_name="sensitive_data",
permission=TableSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1),
protocol=SASProtocol.HTTPS
)
# IP address restrictions
restricted_sas = generate_table_sas(
credential=credential,
table_name="internal_data",
permission=TableSasPermissions(read=True, add=True),
expiry=datetime.utcnow() + timedelta(hours=2),
ip_address_or_range="10.0.0.0/8", # Internal network only
protocol=SASProtocol.HTTPS
)
# Single IP address
single_ip_sas = generate_table_sas(
credential=credential,
table_name="admin_data",
permission=TableSasPermissions(read=True, add=True, update=True, delete=True),
expiry=datetime.utcnow() + timedelta(minutes=30),
ip_address_or_range="203.0.113.5", # Specific admin workstation
protocol=SASProtocol.HTTPS
)Stored Access Policies
Manage reusable access policy definitions for consistent permission management and easy revocation.
class TableAccessPolicy:
"""
Stored access policy for table-level permissions.
Enables centralized policy management and easy revocation.
"""
def __init__(
self,
start: Union[datetime, str] = None,
expiry: Union[datetime, str] = None,
permission: str = None
):
"""
Initialize access policy.
Parameters:
- start: Policy start time (optional)
- expiry: Policy expiration time (optional)
- permission: Permission string (r=read, a=add, u=update, d=delete)
"""Usage Example
from azure.data.tables import TableClient, TableAccessPolicy
from datetime import datetime, timedelta
table_client = TableClient.from_connection_string(conn_str, "products")
# Create access policies
read_policy = TableAccessPolicy(
start=datetime.utcnow(),
expiry=datetime.utcnow() + timedelta(days=7),
permission="r" # read-only
)
admin_policy = TableAccessPolicy(
start=datetime.utcnow(),
expiry=datetime.utcnow() + timedelta(hours=2),
permission="raud" # full access
)
# Set policies on table
table_client.set_table_access_policy({
"weekly-read": read_policy,
"admin-access": admin_policy
})
# Generate SAS using stored policy
from azure.data.tables import generate_table_sas
from azure.core.credentials import AzureNamedKeyCredential
credential = AzureNamedKeyCredential("myaccount", "mykey")
policy_sas = generate_table_sas(
credential=credential,
table_name="products",
policy_id="weekly-read" # References the stored policy
)
# Revoke access by deleting policy
table_client.set_table_access_policy({
"weekly-read": None, # Delete this policy
"admin-access": admin_policy # Keep this one
})
# All SAS tokens using the deleted policy are now invalidAuthentication Patterns
Common authentication and authorization patterns for different scenarios.
Usage Example
from azure.data.tables import TableServiceClient, TableClient
from azure.core.credentials import AzureNamedKeyCredential
from azure.identity import DefaultAzureCredential
# Connection string (development)
service_client = TableServiceClient.from_connection_string(
"DefaultEndpointsProtocol=https;AccountName=dev;AccountKey=key=="
)
# Account key credential (service accounts)
credential = AzureNamedKeyCredential("prod_account", "prod_key")
service_client = TableServiceClient(
endpoint="https://prod_account.table.core.windows.net/",
credential=credential
)
# Azure AD authentication (production)
aad_credential = DefaultAzureCredential()
service_client = TableServiceClient(
endpoint="https://prod_account.table.core.windows.net/",
credential=aad_credential
)
# SAS token authentication (delegated access)
sas_token = "sv=2019-02-02&ss=t&srt=sco&sp=rwdlacup&se=2023-12-31T23:59:59Z&sig=..."
service_client = TableServiceClient(
endpoint="https://account.table.core.windows.net/",
credential=sas_token
)
# Table-specific SAS
table_sas = "sv=2019-02-02&tn=customers&sp=r&se=2023-12-31T23:59:59Z&sig=..."
table_client = TableClient(
endpoint="https://account.table.core.windows.net/",
table_name="customers",
credential=table_sas
)Best Practices
Security Recommendations
- Use HTTPS Only: Always specify
SASProtocol.HTTPSfor production - Minimize Permissions: Grant only the permissions necessary for the task
- Short Expiration Times: Use the shortest reasonable expiration time
- IP Restrictions: Restrict access to known IP ranges when possible
- Stored Policies: Use stored access policies for easier management and revocation
- Azure AD: Prefer Azure AD authentication over account keys in production
- Key Rotation: Regularly rotate account keys and update stored policies
Example Secure Configuration
from azure.data.tables import generate_table_sas, TableSasPermissions, SASProtocol
from azure.core.credentials import AzureNamedKeyCredential
from datetime import datetime, timedelta
# Secure SAS generation
def create_secure_table_sas(account_name: str, account_key: str, table_name: str):
credential = AzureNamedKeyCredential(account_name, account_key)
return generate_table_sas(
credential=credential,
table_name=table_name,
permission=TableSasPermissions(read=True), # Minimal permissions
expiry=datetime.utcnow() + timedelta(hours=1), # Short duration
start=datetime.utcnow(), # Immediate start
protocol=SASProtocol.HTTPS, # HTTPS only
ip_address_or_range="10.0.0.0/8" # Internal network only
)Install with Tessl CLI
npx tessl i tessl/pypi-azure-data-tablesdocs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10