tessl/pypi-azure-storage-queue
Microsoft Azure Queue Storage Client Library for Python providing comprehensive message queuing capabilities for distributed applications.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
authentication.mddocs/
Authentication and Security
Comprehensive authentication methods, Shared Access Signature (SAS) generation, and access control mechanisms for secure queue operations.
Capabilities
Authentication Methods
Multiple authentication approaches for different security requirements and deployment scenarios.
# Connection String Authentication
client = QueueServiceClient.from_connection_string(
"DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=mykey"
)
# Account Key Authentication
client = QueueServiceClient(
account_url="https://myaccount.queue.core.windows.net",
credential="account_key_string"
)
# SAS Token Authentication
client = QueueServiceClient(
account_url="https://myaccount.queue.core.windows.net",
credential="sas_token_string"
)
# Azure Active Directory Authentication
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
client = QueueServiceClient(
account_url="https://myaccount.queue.core.windows.net",
credential=credential
)Account SAS Generation
Generate account-level Shared Access Signatures for flexible resource access control.
def generate_account_sas(
account_name: str,
account_key: str,
resource_types: Union[ResourceTypes, str],
permission: Union[AccountSasPermissions, str],
expiry: Union[datetime, str],
start: Optional[Union[datetime, str]] = None,
ip: Optional[str] = None,
*,
services: Union[Services, str] = Services(queue=True),
sts_hook: Optional[Callable[[str], None]] = None,
**kwargs
) -> str:
"""
Generate account-level SAS token for multiple resources.
Parameters:
- account_name: Storage account name
- account_key: Storage account access key
- resource_types: Resource types accessible (service, container, object)
- permission: Permissions granted by the SAS
- expiry: Token expiration time
- start: Token start time (default: now)
- ip: IP address or range restriction
- services: Services accessible (blob, queue, fileshare)
- sts_hook: Optional callback for token signing
Returns:
SAS token string for URL or credential use
"""Queue SAS Generation
Generate queue-specific Shared Access Signatures for granular queue access control.
def generate_queue_sas(
account_name: str,
queue_name: str,
account_key: str,
permission: Optional[Union[QueueSasPermissions, str]] = None,
expiry: Optional[Union[datetime, str]] = None,
start: Optional[Union[datetime, str]] = None,
policy_id: Optional[str] = None,
ip: Optional[str] = None,
protocol: Optional[str] = None,
*,
sts_hook: Optional[Callable[[str], None]] = None,
**kwargs
) -> str:
"""
Generate queue-specific SAS token.
Parameters:
- account_name: Storage account name
- queue_name: Target queue name
- account_key: Storage account access key
- permission: Queue permissions (read, add, update, process)
- expiry: Token expiration time (required if no policy_id)
- start: Token start time
- policy_id: Stored access policy identifier
- ip: IP address or range restriction
- protocol: Protocol restriction ('https' or 'https,http')
- sts_hook: Optional callback for token signing
Returns:
SAS token string for queue access
"""Usage Examples
Basic Authentication Patterns
from azure.storage.queue import QueueServiceClient
# Method 1: Connection String (simplest for development)
service_client = QueueServiceClient.from_connection_string(
"DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=mykey;EndpointSuffix=core.windows.net"
)
# Method 2: Account URL + Key (explicit credential management)
service_client = QueueServiceClient(
account_url="https://mystorageaccount.queue.core.windows.net",
credential="account_access_key"
)
# Method 3: Azure Active Directory (recommended for production)
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
service_client = QueueServiceClient(
account_url="https://mystorageaccount.queue.core.windows.net",
credential=credential
)Account SAS Token Generation
from azure.storage.queue import generate_account_sas, ResourceTypes, AccountSasPermissions, Services
from datetime import datetime, timedelta
# Generate account SAS with queue access
sas_token = generate_account_sas(
account_name="mystorageaccount",
account_key="account_access_key",
resource_types=ResourceTypes(service=True, container=True, object=True),
permission=AccountSasPermissions(
read=True,
write=True,
delete=True,
list=True,
add=True,
process=True
),
expiry=datetime.utcnow() + timedelta(hours=24),
start=datetime.utcnow(),
services=Services(queue=True)
)
# Use SAS token to create client
service_client = QueueServiceClient(
account_url="https://mystorageaccount.queue.core.windows.net",
credential=sas_token
)Queue-Specific SAS Generation
from azure.storage.queue import generate_queue_sas, QueueSasPermissions
from datetime import datetime, timedelta
# Generate read-only SAS for specific queue
read_sas = generate_queue_sas(
account_name="mystorageaccount",
queue_name="myqueue",
account_key="account_access_key",
permission=QueueSasPermissions(read=True, process=True), # Read metadata, get/delete messages
expiry=datetime.utcnow() + timedelta(hours=2)
)
# Generate write-only SAS for message production
write_sas = generate_queue_sas(
account_name="mystorageaccount",
queue_name="myqueue",
account_key="account_access_key",
permission=QueueSasPermissions(add=True, update=True), # Send and update messages
expiry=datetime.utcnow() + timedelta(hours=12)
)
# Create clients with specific permissions
read_client = QueueClient(
account_url="https://mystorageaccount.queue.core.windows.net",
queue_name="myqueue",
credential=read_sas
)
write_client = QueueClient(
account_url="https://mystorageaccount.queue.core.windows.net",
queue_name="myqueue",
credential=write_sas
)Stored Access Policy Usage
from azure.storage.queue import QueueClient, AccessPolicy, QueueSasPermissions
from datetime import datetime, timedelta
queue_client = QueueClient.from_connection_string(conn_str, "myqueue")
# Create stored access policy
policy = AccessPolicy(
permission=QueueSasPermissions(read=True, add=True, process=True),
expiry=datetime.utcnow() + timedelta(days=30),
start=datetime.utcnow()
)
# Set the stored access policy
queue_client.set_queue_access_policy({"read-write-policy": policy})
# Generate SAS using stored policy
sas_with_policy = generate_queue_sas(
account_name="mystorageaccount",
queue_name="myqueue",
account_key="account_access_key",
policy_id="read-write-policy" # Reference stored policy
)
# Client using policy-based SAS
policy_client = QueueClient(
account_url="https://mystorageaccount.queue.core.windows.net",
queue_name="myqueue",
credential=sas_with_policy
)IP Restrictions and Security
# Generate SAS with IP restrictions
restricted_sas = generate_queue_sas(
account_name="mystorageaccount",
queue_name="myqueue",
account_key="account_access_key",
permission=QueueSasPermissions(add=True, process=True),
expiry=datetime.utcnow() + timedelta(hours=4),
ip="192.168.1.0/24" # Only allow access from this subnet
)
# Generate SAS with specific IP
single_ip_sas = generate_queue_sas(
account_name="mystorageaccount",
queue_name="myqueue",
account_key="account_access_key",
permission=QueueSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1),
ip="203.0.113.45" # Only allow access from this IP
)Azure AD Authentication Patterns
from azure.identity import (
DefaultAzureCredential,
ClientSecretCredential,
ManagedIdentityCredential,
EnvironmentCredential,
WorkloadIdentityCredential,
AzureCliCredential,
ClientCertificateCredential
)
# Default Azure Credential (recommended - tries multiple auth methods)
credential = DefaultAzureCredential()
service_client = QueueServiceClient(
account_url="https://mystorageaccount.queue.core.windows.net",
credential=credential
)
# Service Principal Authentication with Client Secret
credential = ClientSecretCredential(
tenant_id="your_tenant_id",
client_id="your_client_id",
client_secret="your_client_secret"
)
# Service Principal Authentication with Certificate
credential = ClientCertificateCredential(
tenant_id="your_tenant_id",
client_id="your_client_id",
certificate_path="/path/to/certificate.pem"
)
# Managed Identity Authentication (for Azure services)
managed_credential = ManagedIdentityCredential()
# Managed Identity with specific client ID (user-assigned)
managed_credential = ManagedIdentityCredential(client_id="your_user_assigned_identity_client_id")
# Environment-based Authentication (uses environment variables)
env_credential = EnvironmentCredential()
# Workload Identity (for Kubernetes workloads)
workload_credential = WorkloadIdentityCredential()
# Azure CLI Credential (for development)
cli_credential = AzureCliCredential()
service_client = QueueServiceClient(
account_url="https://mystorageaccount.queue.core.windows.net",
credential=credential
)Named Key Credential Support
from azure.core.credentials import AzureNamedKeyCredential
# Using Azure Named Key Credential
named_key_credential = AzureNamedKeyCredential("account_name", "account_key")
service_client = QueueServiceClient(
account_url="https://mystorageaccount.queue.core.windows.net",
credential=named_key_credential
)SAS Credential Support
from azure.core.credentials import AzureSasCredential
# Using Azure SAS Credential
sas_credential = AzureSasCredential("sas_token_string")
service_client = QueueServiceClient(
account_url="https://mystorageaccount.queue.core.windows.net",
credential=sas_credential
)Types
Permission Types
class AccountSasPermissions:
read: bool # Read account information, list queues
write: bool # Write to queues (does not include add/update)
delete: bool # Delete queues
delete_previous_version: bool # Delete previous blob versions
list: bool # List queues in account
add: bool # Add messages to queues
create: bool # Create queues
update: bool # Update message content and visibility
process: bool # Get and delete messages
tag: bool # Set and get blob tags
filter_by_tags: bool # Filter blobs by tags
set_immutability_policy: bool # Set/delete immutability policy
permanent_delete: bool # Permanently delete blobs
def __str__(self) -> str: ...
@classmethod
def from_string(cls, permission: str) -> 'AccountSasPermissions': ...
class QueueSasPermissions:
read: bool # Read queue metadata and properties, peek messages
add: bool # Add messages to queue
update: bool # Update messages in queue (content and visibility)
process: bool # Get and delete messages from queue
def __str__(self) -> str: ...
@classmethod
def from_string(cls, permission: str) -> 'QueueSasPermissions': ...Resource and Service Types
class ResourceTypes:
service: bool # Service-level operations (list queues, get/set properties)
container: bool # Container-level operations (create/delete queues, metadata)
object: bool # Object-level operations (message operations)
def __str__(self) -> str: ...
@classmethod
def from_string(cls, string: str) -> 'ResourceTypes': ...
class Services:
blob: bool # Blob service access
queue: bool # Queue service access
fileshare: bool # File service access
def __str__(self) -> str: ...
@classmethod
def from_string(cls, string: str) -> 'Services': ...Access Policy Types
class AccessPolicy:
permission: Optional[Union[QueueSasPermissions, str]] # Permissions granted
expiry: Optional[Union[datetime, str]] # Expiration time
start: Optional[Union[datetime, str]] # Start time
# SAS Token Format Examples:
# "sv=2023-01-03&ss=q&srt=sco&sp=rwdlacup&se=2024-01-01T00:00:00Z&st=2023-12-01T00:00:00Z&sip=192.168.1.0/24&spr=https&sig=..."Install with Tessl CLI
npx tessl i tessl/pypi-azure-storage-queue