Re: SAS Token in fabric-Not Working

SachinNandanwar · ‎10-08-2024

I created a SAS token for Fabric but it gives an error when I try to use it.

I am unsure as to why is the request expecting a bearer token while using SAS ?

Here are the parameters used in the request

Regards,
Sachin
Check out my Blog

Yao-MSFT · ‎01-21-2025

Hi @SachinNandanwar, I see some code in your blog that needs to be changed, could you please make following changes to your code and try again?

Use the endpoint https://onelake.dfs.fabric.microsoft.com to construct the DataLakeServiceClient
Use following code to construct the DataLakeSasBuilder, _keyStartTime and _keyExpiryTime should be the same value that you used when getting the user delegation key.

DataLakeSasBuilder sasBuilder = new DataLakeSasBuilder()
{
    FileSystemName = workspaceName,
    Resource = "d",
    IsDirectory = true,
    Path = lakehouseName, // Should be {your lakehouse}.Lakehouse/Files
    StartsOn = _keyStartTime,
    ExpiresOn = _keyExpiryTime
};

Use onelake as the account name instead of the endpoint when calling ToSasQueryParameters

SachinNandanwar · ‎01-22-2025

Hi @Yao-MSFT ,

I am using onelake.dfs endpoints. See the belwo screenshot of the code from my blog where I set the endpoint values to a variable.

Also, If you check my earlier screenshots of POST MAN in this post, you can see that I am using dfs endpoints.

and my delegation expiration is set to an hour from the time the SAS token is generated

The SAS token expiry is also set to an hour

After making your suggested changes its still the same error

Regards,
Sachin
Check out my Blog

Mabasile_MSFT · ‎01-16-2025

Hi @SachinNandanwar - I'm happy to help here. The reason you are receiving the error message regarding a bearer token is because, since all OneLake SAS are user-delegated, the SAS is authenticated very similarly to how a bearer token would, hence the similar error.

From reviewing the samples above, your issue might be with the signedPermissions ('sp') field - it looks like you're only granting the SAS Write and List permissions, which means the SAS won't have permissions to Read, hence the authorization error. Could you try adjusting the signedPermissions and trying again?

SachinNandanwar · ‎01-21-2025

Hi @Mabasile_MSFT

I added the read permission but unfortunately it didnt make any difference.

Regards,
Sachin
Check out my Blog

DevanshA · ‎11-25-2024

Hello @v-jingzhan-msft and @SachinNandanwar ,

I am currently stuck on the same error and was wondering whether you have found a solution for the same? Any help would be greatly appreciated. Thank you.

SachinNandanwar · ‎12-23-2024

Nope..Not yet..

Its been over a month since I have blogged on the issue but there hasnt been any solution insight

https://www.azureguru.net/sas-token-in-fabric#heading-the-issue

I even tried the Fabric Reditt forum , but to no avail

https://www.reddit.com/r/MicrosoftFabric/comments/1g0m0sy/comment/lrf41kl/?context=3

Regards,
Sachin
Check out my Blog

v-jingzhan-msft · ‎10-09-2024

Hi @SachinNandanwar

I went through the following documentation. It says OneLake SAS can grant access to files and folders within data items like lakehouses, but it doesn't mention that it requires a combination of a SAS token and a bearer token.

Create a OneLake shared access signature (SAS) (Preview) - Microsoft Fabric | Microsoft Learn

Typically, a SAS token should be sufficient for accessing the resources, as it includes the necessary permissions and signature for authentication. But to troubleshoot this further, you might try including a SAS token and a bearer token in your request and testing whether this would make the call work. You might test this first and let us know the result. Thank you in advance.

Best Regards,
Jing
Community Support Team

SachinNandanwar · ‎10-09-2024

@v-jingzhan-msft I tried using a bearer token hoping that bearer token authenticates the request and with all the information in the SAS token the request is authroized.

But unfortunately this isnt the case.Have a look at the screengrab.

Its the bearer token that takes the precedence in the request with SAS token being completely ignored.

I used Azurecmdlet Powershell to create the bearer token.

Connect-AzAccount
$My_Token = Get-AzAccessToken -ResourceTypeName Storage
$My_Token.Token | Set-Clipboard

Regards,
Sachin
Check out my Blog

SachinNandanwar · ‎10-09-2024

Thanks @v-jingzhan-msft .

Are you aware what endpoints should I use ? For Fabric API's the endpoint used for bearer token is https://api.fabric.microsoft.com/.default

For DFS I tried using https://onelake.dfs.fabric.microsoft.com/.default but this isnt working.

Regards,
Sachin
Check out my Blog

SAS Token in fabric-Not Working

Helpful resources

Join us at the Microsoft Fabric Community Conference

Fabric Monthly Update - January 2025

Fabric Monthly Update - January 2025

Fabric Monthly Update - January 2025

New Offer! Become a Certified Fabric Data Engineer

SAS Token in fabric-Not Working

Helpful resources

Join us at the Microsoft Fabric Community Conference

Fabric Monthly Update - January 2025

Fabric Monthly Update - January 2025

Fabric Monthly Update - January 2025