WASB can operate in secure mode, where the storage access keys required to communicate with Azure storage do not have to be in the same address space as the process using WASB. In this mode, all interactions with Azure storage are performed using SAS URIs. There are two sub-modes within the secure mode:

By default, the SAS key mode is expected to run in the remote mode; however, for testing purposes the local mode can be enabled to generate SAS keys in the same process as WASB.

To enable the secure mode, set the following property in core-site.xml:

<property>
  <name>fs.azure.secure.mode</name>
  <value>true</value>
</property>

Next, do one of the following, depending on the sub-mode that you are using:

To enable SAS key generation locally (Option 1), set the following property in core-site.xml:

<property>
  <name>fs.azure.local.sas.key.mode</name>
  <value>true</value>
</property>

To use the remote SAS key generation mode (Option 2), an external REST service is expected to provided required SAS keys. The following property can set in core-site.xml to provide the end point to use for remote SAS key generation:

<property>
  <name>fs.azure.cred.service.url</name>
  <value>{URL}</value>
 </property>

The remote service is expected to provide support for two REST calls {URL}/GET_CONTAINER_SAS and {URL}/GET_RELATIVE_BLOB_SAS, for generating container and relative blob SAS keys.

Example requests:

{URL}/GET_CONTAINER_SAS?storage_account=<account_name>&container=<container>&sas_expiry=<expiry period>&delegation_token=<delegation token> {URL}/GET_CONTAINER_SAS?storage_account=<account_name>&container=<container>&relative_path=<relative path>&sas_expiry=<expiry period>&delegation_token=<delegation token>

The service is expected to return a response in JSON format:

{
  "responseCode" : 0 or non-zero <int>,
  "responseMessage" : relavant message on failure <String>,
  "sasKey" : Requested SAS Key <String>
}