Community Articles
Find and share helpful community-sourced technical articles.
Alert: Please see the Cloudera blog for information on the Cloudera Response to CVE-2021-4428
Labels (1)

First ... if you need background Azure Event Hubs go here:

Second, its handy to know why you need a SAS token and what you can do once you have one. See:

We will use an example configuration for and Event Hub service. The corresponding data for your service can be found on the details page of the share access policy you want to use. More information on this topic can be found here

From the shared access policy "hub-nifi"'s detail page we can get all the information we need to create our token from the connection string-primary key field


A SAS token is simply the hash of a string consisting of two substrings, the endpoint URL and the date the token should expire. The expiration date should be in Unix epoch format. The format for the string is <resourceURI> + \n + <expiry>

For our example the URL is and for <expiry> we arbitrarily used Thu Dec 08 2016 06:26:40 UTC-0600 which is 1481200000 in Unix epic.

The string to hash is then\n1481868000

Before hashing this string we must URL Encode it, which would result in\n1481868000

Hash the URL encoded string using the shared access key and openssl. The format of the openssl command is:

echo -n -e 'value' | openssl sha256 -binary -hmac 'key' | openssl base64

using our example values

echo -e -n '\n1481868000' | openssl dgst -sha256 -binary -hmac '2hmLYbJk2q5uZ2Yfyl0XSezXbxD+afO9ysh0Vsv4Xq8=' | openssl base64

The output should be similar to


To make a HTTP request to an Event Hubs endpoint a "Authorization" property must be added to the headers of the request. IMPORTANT URL encode the hash before using it in the token

The value of the authorization property is formatted as

Authorization: SharedAccessSignature sr={URI}&sig={HMAC_SHA256_SIGNATURE}&se={EXPIRATION_TIME}&skn={KEY_NAME}

Using our example values the property are

Authorization: SharedAccessSignature sig=ZYxl4SEwnNMa%2Fgir%2BaYgkb5rZv%2F6vUCqh1%2BNZgIGI4s%3D&se=1481868000&skn=hub-user&

use curl to confirm the token we have generated works

curl -v -H 'Authorization: SharedAccessSignature sig=ZYxl4SEwnNMa%2Fgir%2BaYgkb5rZv%2F6vUCqh1%2BNZgIGI4s%3D&se=1481868000&skn=hub-user&' --data 'hello world!'\&api-version=2014-01
Not applicable

Thanks for sharing.

There are a few inaccuracies:

  • the example URL differs from what you actually use in the example
  • what is even more confusing, it that the URL you encode and hash is http; this however does not work, the hashed URL should be https
  • the text says (or at least suggest) that the string contain of the URL with the "\n" and date append, must be URL-encoded, but this wont work: first the URL must be encoded and after that, the "\n" and date must be appended.
Don't have an account?
Version history
Last update:
‎12-04-2016 03:31 AM
Updated by:
Top Kudoed Authors