Exploring data using Synapse Serverless secured by Azure Data Lake directory based SAS Token

Published Jun 01 2021 08:23 AM 2,812 Views
Microsoft

 

Synapse Serverless SQL Pool is a serverless query engine platform that allows you to run SQL queries on files or folders placed in Azure storage without duplicating or physically storing the data. 

There are broadly three ways to access ADLS using synapse serverless.

  • Azure Active Directory
  • Managed Identity
  • SAS Token

The user would need to be assigned to one of the RBAC role :  Azure storage blob data owner\contributor\reader role.  However, there might be scenario that you would or could not provide access to the ADLS account or container and provide access to granular level  directories and folder  levels and not complete storage container or blob. 

 

Scenario

You have a data lake that contains employee and social feed data. You have data residing in an employee folder that is used by HR team members and twitter for live social feeds that is usually used by marketing folks. If you use SAS token or RBAC, you cannot control to the folder level.

How do you allow users to perform data exploration using synapse serverless with fine grain control on underlying storage.

 

demo1.png

Fig1. A storage account with container demo contains two folder employee and twitter.

 

Solution

 

To solve this challenge, you can use directory scoped SAS token along with database scope credentials in synapse serverless.

 Directory scoped SAS provides constrained access to a single directory when using ADLS Gen2.  This can be used to provide access to a directory and the files it contains. Previously a SAS could be used to provide access to a filesystem or a file but not a directory.  This added flexibility allows more granular and easier access privilege assignment.

Directory scoped shared access signatures (SAS) generally available | Azure updates | Microsoft Azur...

 

 

Storage Account

Container

Folder

File

AAD

YES (RBAC on Account)

YES (RBAC on Container)

YES (via POSIX ACLs)

YES (via POSIX ACLs)

Managed Identity (same as AAD)

YES (RBAC on Account)

YES (RBAC on Container)

YES (via POSIX ACLs)

YES (via POSIX ACLs)

SAS Token

YES (Scope - Account) 

YES(Scope - Container) 

YES (Scope - Directory and Files) 

YES (Scope - Files) 

 

For 

How to create Directory based SAS token

 

You can do via SDK or portal. To create a SAS token via portal.

a. Navigate to the folder that you would like to provide access and right click on the folder and select generate SAS token.

demo2.png

Fig 2 : Directory scope selection for employee folder  

 

b. Select permissions Read, list and execute to read and load all the files in the folder. Provide the expiration date and click generate SAS token and URL. Copy blob SAS token.

demo3.png

   Fig 3 :  Generate SAS token.

 

The step b. can be similar to create storage SAS token . Earlier, it used to apply to storage account, now you can reduce the surface area to directory and files as well.

 

 

Use Serverless with  directory SAS token

Once the storage account access has been configured using SAS token, the next to access the data using synapse serverless engine.

 

On Azure synapse Studio, go to develop and SQL Script.

 

a. Create a master key,  if it is not there.

-- create master key that will protect the credentials:

CREATE MASTER KEY ENCRYPTION BY PASSWORD = <enter very strong password here>

 

b. Create a database scope credential using the sas token. You would like to access HR data. So use the blog storage sas token generated for Employee directory.

 

CREATE DATABASE SCOPED CREDENTIAL mysastokenemployee

 WITH IDENTITY = 'SHARED ACCESS SIGNATURE',

 SECRET = '<blob sas token>'

 

c. Create external data source till the container path demo1 and use credential mysastokenemployee

 

CREATE EXTERNAL DATA SOURCE myemployee

WITH (    LOCATION   = 'https:// <storageaccountname>.dfs.core.windows.net/<filesystemname>',

          CREDENTIAL = mysastokenemployee

)

 

d. Once the data is created, lets read the data using OPENROWSET BULK in serverless

 

 

SELECT * FROM OPENROWSET(

   BULK  '/employee/*.csv',

   DATA_SOURCE = 'myemployee',

   FORMAT ='CSV',

   parser_version = '2.0',

   HEADER_ROW =  TRUE

   ) AS Data

 

 

demo4.png

 

Fig 4 : Openrowset bulk output

 

e. Now to confirm whether the scope of the SAS token is only restricted to employee folder, lets use the same data source and database credential to access file in twitter folder.

 

 

SELECT * FROM OPENROWSET(

   BULK  '/twitter/StarterKitTerms.csv',

   DATA_SOURCE = 'myemployee',

   FORMAT ='CSV',

   parser_version = '2.0',

   HEADER_ROW =  TRUE

   ) AS Data

 

demo5.png

Fig 5: Bulk openrowset access failure

 

f. You will encounter an error because the scope of the SAS token was restricted to employee folder.

Now, to access twitter folder for the marketing representative, create a database scoped credential using a sas token for twitter folder.  Repeat the steps “How to create Directory based SAS token” for twitter folder.

 

CREATE DATABASE SCOPED CREDENTIAL mysastokentwitter

 WITH IDENTITY = 'SHARED ACCESS SIGNATURE',

  SECRET = '<blob sas token>'

 

g. Create an external data source using the scope credential created for twitter directory.

CREATE EXTERNAL DATA SOURCE mytwitter

WITH (    LOCATION   = 'https://<storageaccountname>.dfs.core.windows.net/<filesystemname>/',

          CREDENTIAL = mysastokentwitter

)

 

h. Once the data source is created , you can query the twitter data using newly created data source.

 

SELECT * FROM OPENROWSET(

   BULK  '/twitter/StarterKitTerms.csv',

   DATA_SOURCE = 'mytwitter',

   FORMAT ='CSV',

   parser_version = '2.0',

   HEADER_ROW =  TRUE

   ) AS Data

 

demo6.png

Fig 6 : Twitter data accessed using the directory sas token

 

Summary

 

  1. In a central data lake environment or any file store , directory sas token is a great way of reducing the access surface area without providing access at storage root or account level.
  2. Separation of duties and roles can be easily achieved as data access is controlled at  storage level  and synapse serverless
  3. Create sas token with read, list and execute to minimize the impact of accidental deletion etc. sharing the sas token should be done in a secured manner.
  4. Expire sas token, regenerate new token and recreate the scope credentials frequently.
  5. Serverless is great way of data exploration without spinning any additional SQL resources. You would be charged based on data processed by each query.
  6. Managing too many sas tokens will be challenge. So, use a hybrid approach of breaking the large data lake to smaller pools or mesh and grant RBAC access control and blend with SAS token for regulated users is best way of scaling the serverless capability.
%3CLINGO-SUB%20id%3D%22lingo-sub-2363117%22%20slang%3D%22en-US%22%3EExploring%20data%20using%20Synapse%20Serverless%20secured%20by%20Azure%20Data%20Lake%20directory%20based%20SAS%20Token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2363117%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESynapse%20Serverless%20SQL%20Pool%20is%20a%26nbsp%3Bserverless%26nbsp%3Bquery%20engine%20platform%20that%20allows%20you%20to%20run%20SQL%20queries%20on%20files%20or%20folders%20placed%20in%20Azure%20storage%20without%20duplicating%20or%20physically%20storing%20the%20data.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20broadly%20three%20ways%20to%20access%20ADLS%20using%20synapse%20serverless.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAzure%20Active%20Directory%3C%2FLI%3E%0A%3CLI%3EManaged%20Identity%3C%2FLI%3E%0A%3CLI%3ESAS%20Token%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20user%20would%20need%20to%20be%20assigned%20to%20one%20of%20the%20RBAC%20role%20%3A%26nbsp%3B%20Azure%20storage%20blob%20data%20owner%5Ccontributor%5Creader%20role.%26nbsp%3B%20However%2C%20there%20might%20be%20scenario%20that%20you%20would%20or%20could%20not%20provide%20access%20to%20the%20ADLS%20account%20or%20container%20and%20provide%20access%20to%20granular%20level%20%26nbsp%3Bdirectories%20and%20folder%20%26nbsp%3Blevels%20and%20not%20complete%20storage%20container%20or%20blob.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20have%20a%20data%20lake%20that%20contains%20employee%20and%20social%20feed%20data.%20You%20have%20data%20residing%20in%20an%20employee%20folder%20that%20is%20used%20by%20HR%20team%20members%20and%20twitter%20for%20live%20social%20feeds%20that%20is%20usually%20used%20by%20marketing%20folks.%20If%20you%20use%20SAS%20token%20or%20RBAC%2C%20you%20cannot%20control%20to%20the%20folder%20level.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20you%20allow%20users%20to%20perform%20data%20exploration%20using%20synapse%20serverless%20with%20fine%20grain%20control%20on%20underlying%20storage.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22demo1.png%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F281446iEF663F338EE93B80%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22demo1.png%22%20alt%3D%22demo1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFig1.%20A%20storage%20account%20with%20container%20demo%20contains%20two%20folder%20employee%20and%20twitter.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1330878456%22%20id%3D%22toc-hId-1330944018%22%3ESolution%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20solve%20this%20challenge%2C%20you%20can%20use%20directory%20scoped%20SAS%20token%20along%20with%20database%20scope%20credentials%20in%20synapse%20serverless.%3C%2FP%3E%0A%3CP%3E%26nbsp%3BDirectory%20scoped%20SAS%20provides%20constrained%20access%20to%20a%20single%20directory%20when%20using%20ADLS%20Gen2.%26nbsp%3B%20This%20can%20be%20used%20to%20provide%20access%20to%20a%20directory%20and%20the%20files%20it%20contains.%20Previously%20a%20SAS%20could%20be%20used%20to%20provide%20access%20to%20a%20filesystem%20or%20a%20file%20but%20not%20a%20directory.%26nbsp%3B%20This%20added%20flexibility%20allows%20more%20granular%20and%20easier%20access%20privilege%20assignment.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fupdates%2Fdirectory-scoped-shared-access-signatures-sas-generally-available%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDirectory%20scoped%20shared%20access%20signatures%20(SAS)%20generally%20available%20%7C%20Azure%20updates%20%7C%20Microsoft%20Azure%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22lia-align-left%22%20style%3D%22height%3A%20170px%3B%20width%3A%20780px%3B%22%20border%3D%223%22%20width%3D%22780%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2229px%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EStorage%20Account%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EContainer%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EFolder%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22155.333px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EFile%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSTRONG%3EAAD%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(RBAC%20on%20Account)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(RBAC%20on%20Container)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(via%20POSIX%20ACLs)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22155.333px%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(via%20POSIX%20ACLs)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSTRONG%3EManaged%20Identity%20(same%20as%20AAD)%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(RBAC%20on%20Account)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(RBAC%20on%20Container)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(via%20POSIX%20ACLs)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22155.333px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(via%20POSIX%20ACLs)%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSTRONG%3ESAS%20Token%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%20(Scope%20-%20Account)%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES(Scope%20-%20Container)%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22154.667px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%26nbsp%3B(Scope%20-%20Directory%20and%20Files)%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22155.333px%22%20height%3D%2256px%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EYES%26nbsp%3B(Scope%20-%20Files)%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20to%20create%20Directory%20based%20SAS%20token%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20do%20via%20SDK%20or%20portal.%20To%20create%20a%20SAS%20token%20via%20portal.%3C%2FP%3E%0A%3CP%3Ea.%20Navigate%20to%20the%20folder%20that%20you%20would%20like%20to%20provide%20access%20and%20right%20click%20on%20the%20folder%20and%20select%20generate%20SAS%20token.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22demo2.png%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F281447i18A9A571B48574F5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22demo2.png%22%20alt%3D%22demo2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFig%202%20%3A%20Directory%20scope%20selection%20for%20employee%20folder%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eb.%20Select%20permissions%20Read%2C%20list%20and%20execute%20to%20read%20and%20load%20all%20the%20files%20in%20the%20folder.%20Provide%20the%20expiration%20date%20and%20click%20generate%20SAS%20token%20and%20URL.%20Copy%20blob%20SAS%20token.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22demo3.png%22%20style%3D%22width%3A%20258px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F281448iE61A183753D9687F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22demo3.png%22%20alt%3D%22demo3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20Fig%203%20%3A%26nbsp%3B%20Generate%20SAS%20token.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20step%20b.%20can%20be%20similar%20to%20create%20storage%20SAS%20token%20.%20Earlier%2C%20it%20used%20to%20apply%20to%20storage%20account%2C%20now%20you%20can%20reduce%20the%20surface%20area%20to%20directory%20and%20files%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUse%20Serverless%20with%26nbsp%3B%20directory%20SAS%20token%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOnce%20the%20storage%20account%20access%20has%20been%20configured%20using%20SAS%20token%2C%20the%20next%20to%20access%20the%20data%20using%20synapse%20serverless%20engine.%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOn%20Azure%20synapse%20Studio%2C%20go%20to%20develop%20and%20SQL%20Script.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ea.%20Create%20a%20master%20key%2C%20%26nbsp%3Bif%20it%20is%20not%20there.%3C%2FP%3E%0A%3CP%3E--%20create%20master%20key%20that%20will%20protect%20the%20credentials%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3ECREATE%20MASTER%20KEY%20ENCRYPTION%20BY%20PASSWORD%20%3D%3C%2FFONT%3E%20%3CENTER%20very%3D%22%22%20strong%3D%22%22%20password%3D%22%22%20here%3D%22%22%3E%3C%2FENTER%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eb.%20Create%20a%20database%20scope%20credential%20using%20the%20sas%20token.%20You%20would%20like%20to%20access%20HR%20data.%20So%20use%20the%20blog%20storage%20sas%20token%20generated%20for%20Employee%20directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3ECREATE%26nbsp%3BDATABASE%26nbsp%3BSCOPED%26nbsp%3BCREDENTIAL%3C%2FFONT%3E%26nbsp%3Bmysastokenemployee%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CFONT%20color%3D%22%230000FF%22%3EWITH%26nbsp%3BIDENTITY%26nbsp%3B%3D%3C%2FFONT%3E%26nbsp%3B'%3CFONT%20color%3D%22%23993366%22%3ESHARED%26nbsp%3BACCESS%26nbsp%3BSIGNATURE%3C%2FFONT%3E'%2C%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%26nbsp%3BSECRET%26nbsp%3B%3D%26nbsp%3B%3C%2FFONT%3E'%3CFONT%20color%3D%22%23993366%22%3E%3CBLOB%3E%3C%2FBLOB%3E%3C%2FFONT%3E'%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ec.%20Create%20external%20data%20source%20till%20the%20container%20path%20demo1%20and%20use%20credential%20mysastokenemployee%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3ECREATE%26nbsp%3BEXTERNAL%26nbsp%3BDATA%26nbsp%3BSOURCE%3C%2FFONT%3E%26nbsp%3Bmyemployee%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3EWITH%26nbsp%3B(%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BLOCATION%26nbsp%3B%26nbsp%3B%26nbsp%3B%3D%3C%2FFONT%3E%26nbsp%3B'%3CFONT%20color%3D%22%23800080%22%3Ehttps%3A%2F%2F%20%3CSTORAGEACCOUNTNAME%3E.dfs.core.windows.net%2F%3CFILESYSTEMNAME%3E%3C%2FFILESYSTEMNAME%3E%3C%2FSTORAGEACCOUNTNAME%3E%3C%2FFONT%3E'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CFONT%20color%3D%22%230000FF%22%3E%26nbsp%3B%3C%2FFONT%3E%3CFONT%20color%3D%22%233366FF%22%3E%3CFONT%20color%3D%22%230000FF%22%3ECREDENTIAL%26nbsp%3B%3D%3C%2FFONT%3E%3C%2FFONT%3E%26nbsp%3Bmysastokenemployee%3C%2FP%3E%0A%3CP%3E)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ed.%20Once%20the%20data%20is%20created%2C%20lets%20read%20the%20data%20using%20OPENROWSET%20BULK%20in%20serverless%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESELECT%26nbsp%3B*%26nbsp%3BFROM%26nbsp%3BOPENROWSET(%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BBULK%26nbsp%3B%26nbsp%3B'%2Femployee%2F*.csv'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BDATA_SOURCE%26nbsp%3B%3D%26nbsp%3B'myemployee'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BFORMAT%26nbsp%3B%3D'CSV'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3Bparser_version%26nbsp%3B%3D%26nbsp%3B'2.0'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BHEADER_ROW%26nbsp%3B%3D%26nbsp%3B%26nbsp%3BTRUE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B)%26nbsp%3BAS%26nbsp%3BData%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22demo4.png%22%20style%3D%22width%3A%20262px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F281450i53A3EBB84385AD35%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22demo4.png%22%20alt%3D%22demo4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFig%204%20%3A%20Openrowset%20bulk%20output%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ee.%20Now%20to%20confirm%20whether%20the%20scope%20of%20the%20SAS%20token%20is%20only%20restricted%20to%20employee%20folder%2C%20lets%20use%20the%20same%20data%20source%20and%20database%20credential%20to%20access%20file%20in%20twitter%20folder.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESELECT%26nbsp%3B*%26nbsp%3BFROM%26nbsp%3BOPENROWSET(%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BBULK%26nbsp%3B%26nbsp%3B'%2Ftwitter%2FStarterKitTerms.csv'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BDATA_SOURCE%26nbsp%3B%3D%26nbsp%3B'myemployee'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BFORMAT%26nbsp%3B%3D'CSV'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3Bparser_version%26nbsp%3B%3D%26nbsp%3B'2.0'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BHEADER_ROW%26nbsp%3B%3D%26nbsp%3B%26nbsp%3BTRUE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B)%26nbsp%3BAS%26nbsp%3BData%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22demo5.png%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F281451i4F0A920460028B9B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22demo5.png%22%20alt%3D%22demo5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFig%205%3A%20Bulk%20openrowset%20access%20failure%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ef.%20You%20will%20encounter%20an%20error%20because%20the%20scope%20of%20the%20SAS%20token%20was%20restricted%20to%20employee%20folder.%3C%2FP%3E%0A%3CP%3ENow%2C%20to%20access%20twitter%20folder%20for%20the%20marketing%20representative%2C%20create%20a%20database%20scoped%20credential%20using%20a%20sas%20token%20for%20%3CEM%3Etwitter%20folder%3C%2FEM%3E.%26nbsp%3B%20Repeat%20the%20steps%20%E2%80%9C%3CSTRONG%3EHow%20to%20create%20Directory%20based%20SAS%20token%E2%80%9D%20for%20twitter%20folder.%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3ECREATE%26nbsp%3BDATABASE%26nbsp%3BSCOPED%26nbsp%3BCREDENTIAL%3C%2FFONT%3E%26nbsp%3Bmysastokentwitter%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%26nbsp%3BWITH%26nbsp%3BIDENTITY%26nbsp%3B%3D%3C%2FFONT%3E%26nbsp%3B'%3CFONT%20color%3D%22%23800080%22%3ESHARED%26nbsp%3BACCESS%26nbsp%3BSIGNATURE%3C%2FFONT%3E'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3CFONT%20color%3D%22%230000FF%22%3ESECRET%26nbsp%3B%3D%26nbsp%3B%3C%2FFONT%3E'%3CFONT%20color%3D%22%23800080%22%3E%3CBLOB%20sas%3D%22%22%20token%3D%22%22%3E%3C%2FBLOB%3E%3C%2FFONT%3E'%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eg.%20Create%20an%20external%20data%20source%20using%20the%20scope%20credential%20created%20for%20twitter%20directory.%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3ECREATE%26nbsp%3BEXTERNAL%26nbsp%3BDATA%26nbsp%3BSOURCE%3C%2FFONT%3E%26nbsp%3Bmytwitter%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3EWITH%26nbsp%3B(%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BLOCATION%26nbsp%3B%26nbsp%3B%26nbsp%3B%3D%26nbsp%3B%3C%2FFONT%3E'%3CFONT%20color%3D%22%23800080%22%3Ehttps%3A%2F%2F%3CSTORAGEACCOUNTNAME%3E.dfs.core.windows.net%2F%3CFILESYSTEMNAME%3E%2F%3C%2FFILESYSTEMNAME%3E%3C%2FSTORAGEACCOUNTNAME%3E%3C%2FFONT%3E'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CFONT%20color%3D%22%230000FF%22%3ECREDENTIAL%26nbsp%3B%3D%3C%2FFONT%3E%26nbsp%3B%3CFONT%20color%3D%22%23800080%22%3Emysastokentwitter%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E)%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eh.%20Once%20the%20data%20source%20is%20created%20%2C%20you%20can%20query%20the%20twitter%20data%20using%20newly%20created%20data%20source.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESELECT%26nbsp%3B*%26nbsp%3BFROM%26nbsp%3BOPENROWSET(%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BBULK%26nbsp%3B%26nbsp%3B'%2Ftwitter%2FStarterKitTerms.csv'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BDATA_SOURCE%26nbsp%3B%3D%26nbsp%3B'mytwitter'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BFORMAT%26nbsp%3B%3D'CSV'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3Bparser_version%26nbsp%3B%3D%26nbsp%3B'2.0'%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3BHEADER_ROW%26nbsp%3B%3D%26nbsp%3B%26nbsp%3BTRUE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B)%26nbsp%3BAS%26nbsp%3BData%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22demo6.png%22%20style%3D%22width%3A%20546px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F281452iD3F61D0B1101D60A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22demo6.png%22%20alt%3D%22demo6.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFig%206%20%3A%20Twitter%20data%20accessed%20using%20the%20directory%20sas%20token%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--476576007%22%20id%3D%22toc-hId--476510445%22%3ESummary%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EIn%20a%20central%20data%20lake%20environment%20or%20any%20file%20store%20%2C%20directory%20sas%20token%20is%20a%20great%20way%20of%20reducing%20the%20access%20surface%20area%20without%20providing%20access%20at%20storage%20root%20or%20account%20level.%3C%2FLI%3E%0A%3CLI%3ESeparation%20of%20duties%20and%20roles%20can%20be%20easily%20achieved%20as%20data%20access%20is%20controlled%20at%26nbsp%3B%20storage%20level%20%26nbsp%3Band%20synapse%20serverless%3C%2FLI%3E%0A%3CLI%3ECreate%20sas%20token%20with%20read%2C%20list%20and%20execute%20to%20minimize%20the%20impact%20of%20accidental%20deletion%20etc.%20sharing%20the%20sas%20token%20should%20be%20done%20in%20a%20secured%20manner.%3C%2FLI%3E%0A%3CLI%3EExpire%20sas%20token%2C%20regenerate%20new%20token%20and%20recreate%20the%20scope%20credentials%20frequently.%3C%2FLI%3E%0A%3CLI%3EServerless%20is%20great%20way%20of%20data%20exploration%20without%20spinning%20any%20additional%20SQL%20resources.%20You%20would%20be%20charged%20based%20on%20data%20processed%20by%20each%20query.%3C%2FLI%3E%0A%3CLI%3EManaging%20too%20many%20sas%20tokens%20will%20be%20challenge.%20So%2C%20use%20a%20hybrid%20approach%20of%20breaking%20the%20large%20data%20lake%20to%20smaller%20pools%20or%20mesh%20and%20grant%20RBAC%20access%20control%20and%20blend%20with%20SAS%20token%20for%20regulated%20users%20is%20best%20way%20of%20scaling%20the%20serverless%20capability.%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2363117%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teaser%20card%20-%20SQL.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F310693iAA5876CD3B2F3175%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Teaser%20card%20-%20SQL.PNG%22%20alt%3D%22Teaser%20card%20-%20SQL.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%E2%80%83%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESynapse%20Serverless%20is%20a%20great%20way%20of%20performing%26nbsp%3Bdata%20exploration%20and%20creating%20data%20democratization%20environment%20without%20spinning%20any%20dedicated%20infrastructure.%26nbsp%3B%20When%20the%20data%20rests%20in%20data%20lake%20%2C%20data%20hub%20or%20any%20other%20underlying%20storage%2C%20access%20control%20is%20key%20to%20ensure%20that%20right%20users%20get%20right%20access.%26nbsp%3B%20Directory%20SAS%20Token%20capability%20in%20ADLS%20can%20allow%20fine%20grained%20access%20control%20to%20end%20users.%26nbsp%3B%20Integrating%20this%20SAS%20Token%20capability%20with%20synapse%20serverless%20helps%20you%20to%20build%20a%20data%20platform%20in%20a%20controlled%20environment.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2363117%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESynapse%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20SQL%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Sep 15 2021 02:02 PM
Updated by: