All Articles

How to Create a Azure Blob Shared Access Signature (SAS) Token

Azure Blobs allows for Shared Access Signature (SAS) Tokens to be created to access specific objects within the Blob. The SAS Token allows for scopes to be set on the token, e.g. expiration date and ability to read/write. The token can then give a limited amount of access to someone who you need to share an object within the blob with. The script below will create an Azure Blob SAS Token with the Azure SDK for Java library. Additionally, the script has been tested against running on all Boomi runtimes (Atom, Molecule, and Cloud).

First, download the Azure SDK for Java library on Maven. The script has been tested against v8.6.6, which is the latest at the time of the writing of the article. Click on jar (circled in read below) to downlow the jar file.

Download jar File From Maven Repo

Figure 1. Downlown jar file from Maven Repo

Next, add the drivers to your Boomi’s Account Library and deploy them as a custom library. The documentation to add jar files to your library can be found here in Boomi’s Help Documentation.

After we have that installed within Boomi, we will need to get some additional information for the Blob to be used later within the Groovy script. We’ll need the storage account name, storage account access key, and blob container name.

The storage account name and access keys can be found by going to the Storage Account.

  1. Once you are in the desired storage account, go to Access keys.
  2. Click on Storage account name to get the storage account name.
  3. Click on Show keys.
  4. Then copy Key 1.

Azure Blob Access Key

Figure 2. Get Azure Blob Access Key

The resource path that is mentioned later will be the Blob container name and the file name. In the example below, the resource path would be boomiblob/helloWorld.txt

Azure Blob Container with File

Figure 3. Azure Blob Container with File

After we have the values above, they will be used to populate the following Dynamic Process Properties and Dynamic Document Properties.

Dynamic Process Properties
    DPP_ACCOUNT_NAME: Storage Account Name (e.g. boomiblobscript01)
    DPP_ACCESS_KEY: Storage Account Access Key
    DPP_EXPIRATION_TIME_HOURS: Time in Hours When the Token Expires
Dynamic Document Properties
    DDP_RESOURCE_URL: Resource path after the base URL. Usually container name and file name. (e.g. boomiblob/helloWorld.txt)

Below is a general outline of the component configuration within Boomi. Properties are set within the Set Properties shape. Then a Groovy script is ran within the Data Process shape, which sets the output URL as a Dynamic Document Property (DDP_AZURE_LINK)

Overview of Boomi Process

Figure 4. Overview of Boomi Process

Within the Set Properties shape the above properties will be added.

Set Properties Shape Configuration

Figure 5. Set Properties Shape Configuration

Within the Data Process shape, select Groovy 2.4 and paste the following code within the editor. The script below uses the scope of read only.

// Groovy 2.4
 
// Doc https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas

import java.util.Properties;
import java.io.InputStream;
import com.boomi.execution.ExecutionUtil;
import com.microsoft.azure.storage.StorageCredentialsAccountAndKey;
import com.microsoft.azure.storage.blob.CloudPageBlob;
import com.microsoft.azure.storage.blob.SharedAccessBlobPolicy;
import com.microsoft.azure.storage.StorageCredentials
import com.microsoft.azure.storage.blob.CloudBlob
import com.microsoft.azure.storage.blob.SharedAccessBlobPermissions
import java.time.Instant
import java.time.LocalDateTime
import java.time.ZoneId

for (int i = 0; i < dataContext.getDataCount(); i++) {
    InputStream is = dataContext.getStream(i);
    Properties props = dataContext.getProperties(i);

    String accountName = ExecutionUtil.getDynamicProcessProperty("DPP_ACCOUNT_NAME");
    String key = ExecutionUtil.getDynamicProcessProperty("DPP_ACCESS_KEY");
    String resourceUrl = props.getProperty("document.dynamic.userdefined.DDP_RESOURCE_URL");
    String expirationTimeHours = ExecutionUtil.getDynamicProcessProperty("DPP_EXPIRATION_TIME_HOURS");
    String fullResourceURL = "https://" + accountName + ".blob.core.windows.net/" + resourceUrl;

    URI uri = new URI(fullResourceURL);
    String azureLink = uri.toString() + "?" + generateSasToken(uri, accountName, key, expirationTimeHours);

    props.setProperty("document.dynamic.userdefined.DDP_AZURE_LINK", azureLink)
    dataContext.storeStream(is, props);
}

private static Date getExpirationTime(String expirationTimeHours) {
    int expirationTimeHoursInt = expirationTimeHours.toInteger();
    LocalDateTime expLDT = LocalDateTime.now().plusHours(expirationTimeHoursInt);
    Instant expInstant = expLDT.atZone(ZoneId.systemDefault()).toInstant();
    return Date.from(expInstant);
}

private static String generateSasToken(URI fileUri, String accountName, String key, String expirationTimeHours) {
    StorageCredentials credentials = new StorageCredentialsAccountAndKey(accountName, key);
    CloudBlob file = new CloudPageBlob(fileUri, credentials);
    SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy();
    policy.setPermissions(EnumSet.of(SharedAccessBlobPermissions.READ));
    policy.setSharedAccessStartTime(null);
    policy.setSharedAccessExpiryTime(getExpirationTime(expirationTimeHours));
    return file.generateSharedAccessSignature(policy, null);
}

Finally, the URL to the Blob and the SAS token are stored within a dynamic document property (DDP_AZURE_LINK). The example above has the property being read by a message shape.

Additional Documentation

Article originally posted at Boomi Community.

Published Apr 5, 2022

Developing a better world.© All rights reserved.