Expand description
Credential resolution and the shared-key / SAS signing policies for the Azure Blob backend.
The official azure_storage_blob 0.12 crate accepts only
Arc<dyn TokenCredential> (Entra ID) on its constructors, but the
Azurite emulator and many production accounts still authenticate
with shared keys. We bridge the gap with a custom per-try
Policy that signs each outgoing request using the Azure
Storage shared-key v2 scheme. Tracking issue:
Azure/azure-sdk-for-rust#2975.
Resolution order:
- URL flag
?credential=<NAME>→AZSTORE_<NAME>_KEY(base64 account key) → [SharedKeySigningPolicy]AZSTORE_<NAME>_CONNECTION_STRING→ parsed forAccountKey=→ [SharedKeySigningPolicy]AZSTORE_<NAME>_SAS→ [SasSigningPolicy] (appends SAS query params to every outgoing request URL)
- No flag →
azure_identity::DeveloperToolsCredential.
The shared-key signing implementation here is derived from the
reference workaround posted on issue #2975, which itself was
airlifted from the legacy azure_storage SDK. The
string-to-sign / canonicalised-resource layout is documented at
https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key.
Structs§
- HmacKey
- Pre-decoded HMAC-SHA256 key bytes for Azure shared-key /
service-SAS signing. The base64 decode happens once at
construction (in [
SharedKeySigningPolicy::new] and theparse_connection_stringpaths) instead of per request.
Functions§
- compute_
authorization - Compute the
Authorization: SharedKey <account>:<sig>header value.