From 03f027f6c994f6764f09a5a710fc6232ce844bdc Mon Sep 17 00:00:00 2001 From: joshvanl Date: Thu, 19 Mar 2026 12:37:06 +0000 Subject: [PATCH 1/2] bindings/azure/blobstorage: SAS URL support Implemented in https://github.com/dapr/components-contrib/pull/4299 Signed-off-by: joshvanl --- .../supported-bindings/blobstorage.md | 90 ++++++++++++++++++- 1 file changed, 89 insertions(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/blobstorage.md b/daprdocs/content/en/reference/components-reference/supported-bindings/blobstorage.md index 5f0ed77bca2..e51977cf279 100644 --- a/daprdocs/content/en/reference/components-reference/supported-bindings/blobstorage.md +++ b/daprdocs/content/en/reference/components-reference/supported-bindings/blobstorage.md @@ -65,6 +65,7 @@ This component supports **output binding** with the following operations: - `get` : [Get blob](#get-blob) - `delete` : [Delete blob](#delete-blob) - `list`: [List blobs](#list-blobs) +- `presign`: [Generate presigned SAS URL](#presign-blob) The Blob storage component's **input binding** triggers and pushes events using [Azure Event Grid]({{% ref eventgrid.md %}}). @@ -168,13 +169,49 @@ Then you can upload it as you would normally: {{< /tabpane >}} +#### Share blob with a presigned SAS URL + +To generate a presigned SAS URL when creating a blob, include the `signTTL` metadata key on a `create` request. The SAS URL provides temporary read-only access to the blob. +Valid values for `signTTL` are [Go duration strings](https://pkg.go.dev/time#ParseDuration) (e.g. `"15m"`, `"1h"`, `"24h"`). + +> **Note:** This feature requires the binding to be configured with an account key or connection string. Microsoft Entra ID authentication is not supported for SAS URL generation. + +{{< tabpane text=true >}} + + {{% tab "Windows" %}} + ```bash + curl -d "{ \"operation\": \"create\", \"data\": \"Hello World\", \"metadata\": { \"blobName\": \"my-test-file.txt\", \"signTTL\": \"15m\" } }" \ + http://localhost:/v1.0/bindings/ + ``` + {{% /tab %}} + + {{% tab "Linux" %}} + ```bash + curl -d '{ "operation": "create", "data": "Hello World", "metadata": { "blobName": "my-test-file.txt", "signTTL": "15m" } }' \ + http://localhost:/v1.0/bindings/ + ``` + {{% /tab %}} + +{{< /tabpane >}} + +##### Response + +The response body contains the following JSON: + +```json +{ + "blobURL": "https://.blob.core.windows.net//", + "presignURL": "https://.blob.core.windows.net//?sv=2023-11-03&se=2024-01-01T00%3A15%3A00Z&sr=b&sp=r&sig=" +} +``` + #### Response The response body will contain the following JSON: ```json { - "blobURL": "https://. blob.core.windows.net//" + "blobURL": "https://.blob.core.windows.net//" } ``` @@ -405,6 +442,57 @@ The list of blobs will be returned as JSON array in the following form: ] ``` +### Presign blob + +To generate a presigned SAS URL for an existing blob, invoke the Azure Blob Storage binding with a `POST` method and the following JSON body. The SAS URL provides temporary read-only access to the blob without requiring authentication. + +> **Note:** This operation requires the binding to be configured with an account key or connection string. Microsoft Entra ID authentication is not supported for SAS URL generation. + +```json +{ + "operation": "presign", + "metadata": { + "blobName": "my-test-file.txt", + "signTTL": "15m" + } +} +``` + +The metadata parameters are: + +- `blobName` - the name of the blob to generate a SAS URL for +- `signTTL` - the time-to-live for the SAS URL. Valid values are [Go duration strings](https://pkg.go.dev/time#ParseDuration) (e.g. `"15m"`, `"1h"`, `"24h"`) + +#### Example + +{{< tabpane text=true >}} + + {{% tab "Windows" %}} + ```bash + curl -d "{ \"operation\": \"presign\", \"metadata\": { \"blobName\": \"my-test-file.txt\", \"signTTL\": \"15m\" } }" \ + http://localhost:/v1.0/bindings/ + ``` + {{% /tab %}} + + {{% tab "Linux" %}} + ```bash + curl -d '{ "operation": "presign", "metadata": { "blobName": "my-test-file.txt", "signTTL": "15m" } }' \ + http://localhost:/v1.0/bindings/ + ``` + {{% /tab %}} + +{{< /tabpane >}} + +#### Response + +The response body contains the following JSON: + +```json +{ + "presignURL": "https://.blob.core.windows.net//my-test-file.txt?sv=2023-11-03&se=2024-01-01T00%3A15%3A00Z&sr=b&sp=r&sig=" +} +``` + ## Metadata information By default the Azure Blob Storage output binding auto generates a UUID as the blob filename and is not assigned any system or custom metadata to it. It is configurable in the metadata property of the message (all optional). From bf101a8943199be9324e1be66a7ef9be477622ed Mon Sep 17 00:00:00 2001 From: joshvanl Date: Thu, 19 Mar 2026 12:47:28 +0000 Subject: [PATCH 2/2] Review comments Signed-off-by: joshvanl --- .../supported-bindings/blobstorage.md | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-bindings/blobstorage.md b/daprdocs/content/en/reference/components-reference/supported-bindings/blobstorage.md index e51977cf279..2370c839c1e 100644 --- a/daprdocs/content/en/reference/components-reference/supported-bindings/blobstorage.md +++ b/daprdocs/content/en/reference/components-reference/supported-bindings/blobstorage.md @@ -194,28 +194,20 @@ Valid values for `signTTL` are [Go duration strings](https://pkg.go.dev/time#Par {{< /tabpane >}} -##### Response - -The response body contains the following JSON: - -```json -{ - "blobURL": "https://.blob.core.windows.net//", - "presignURL": "https://.blob.core.windows.net//?sv=2023-11-03&se=2024-01-01T00%3A15%3A00Z&sr=b&sp=r&sig=" -} -``` - #### Response The response body will contain the following JSON: ```json { - "blobURL": "https://.blob.core.windows.net//" + "blobURL": "https://.blob.core.windows.net//", + "blobName": "", + "presignURL": "https://.blob.core.windows.net//?sv=2023-11-03&se=2024-01-01T00%3A15%3A00Z&sr=b&sp=r&sig=" } - ``` +> The `presignURL` field is only present when `signTTL` is provided in the request metadata. + ### Get blob To perform a get blob operation, invoke the Azure Blob Storage binding with a `POST` method and the following JSON body: