SAS Token or ACL for DataLake directory (namespace) permissions?

[ericthomas1]

Hello,

I have an Azure Function that is triggered when a blob is uploaded to nested directory within a DataLake Gen2 storage container.

• I do not want to give the Function permissions on the entire DataLake (via connection string in Function app settings).
• Instead, I need to scope the Function's credentials down to a single, nested namespace.

How is this done?

Tried so far:

• It appears SAS tokens can only be generated at the first level of the DataLake (container level).

  • This does not work for my use-case as there is one top-level container for the entire DataLake (so in essence, the Function still has root access to the DataLake)
  • I want to scope permissions deeper, to the nested directory (namespace) level

• It appears Access Control Lists do not handle this scenario either.

  • They don't grant a specific permission key/token/etc that can be used by a Function app setting
  • I'd still have to grant the Function full root access to the DataLake, then hope the ACL perm works
  • In addition, there is no GUI for managing ACL's (outside of Azure Storage Explorer for granting permissions) so they will inevitably be lost/forgotton/etc.

How do we scope permissions to a DataLake namespace in a way compatible with Azure Functions?

Thank you