Rajnish, MCT

Rajnish Kumar Jha, MCT: DevOps, Azure, Microsoft Certified Trainer

DevOps, Cloud, Azure resources & blog

You are here :► Rajnish Kumar Jha, MCT: DevOps, Azure, Microsoft Certified TrainerBlogAzure StorageHands-on – Delegate access to Azure Storage using Shared Access Signatures

Hands-on – Delegate access to Azure Storage using Shared Access Signatures

Written by

Rajnish Kumar Jha

/

Under the topic

/

Dated:

Table Of Content

Let's go through a practical demonstration on how to use Shared Access Signatures (SAS) to delegate access to Azure Storage.

In this example, we'll focus on Azure Blob Storage.

The steps will include.

  1. Creating a Blob Container in Azure Storage

  2. Generating a SAS Token for the Blob Container

  3. Accessing the Blob via SAS URL

Step 1: Create a Blob Container in Azure Storage

1. Login to Azure Portal

2. Navigate to Storage Account

In the portal, click on Storage accounts and select the storage account you want to use.

If you don't have one, create it by following the steps:

  • Click + Create > Storage Account.

  • Enter the required details (Subscription, Resource group, Name, etc.) and click Review + Create.

3. Create a Blob Container

  • After selecting your storage account, go to the Containers tab under the Blob Service section.

  • Click + Container to create a new container.

  • Name the container (e.g., my-shared-container), and set the Public Access Level to Private (for restricted access).

  • Click Create.

Step 2: Generate a SAS Token for the Blob Container

1. Go to Shared Access Signature in Storage Account

In your storage account, go to the Settings section on the left-hand menu and click on Shared access signature.

2. Configure SAS Token Settings

Permissions

Choose the permissions you want to assign.

For this example, select Read (r) to allow access to blobs.

Start and Expiry Time

Set the start time and expiry time for the SAS token.

For example:

  • Start time: Set it to current time.

  • Expiry time: Set it to 1 hour from the current time.

Allowed IP Address Range

Optionally, specify a range of IP addresses that can use this SAS token.

Allowed Protocols

Select HTTPS Only for secure access.

After configuring the settings, click Generate SAS token and URL.

3. Copy SAS Token

Copy the SAS token and URL that gets generated.

This SAS URL will allow access to the specific blob container with the specified permissions.

The SAS URL will look like:

Step 3: Access the Blob via SAS URL

1. Upload a File to the Blob Container (Optional)

  • Go to the Containers section in your storage account.

  • Select the container my-shared-container.

  • Click Upload, select a file (e.g., a .txt file), and upload it.

2. Access the Blob Using the SAS URL

  • Open a web browser.

  • Paste the SAS URL you copied earlier into the browser.

  • You should be able to access the file you uploaded to the container directly (if you provided read access).

For example, if the SAS URL is:

You can open the file directly in the browser.

If the SAS token has expired or lacks the right permissions, you will see an error message.

Step 4: Revoke or Modify SAS Token (if needed)

Regenerate Account Keys

If you want to revoke a SAS token created using your account keys, you can regenerate the storage account keys.

Modify Access Policy

If you're using a stored access policy, you can update the policy or delete it, which will invalidate SAS tokens associated with it.

Example Use Case

Let’s imagine you want to share a file with a third-party partner, allowing them only to download the file for a limited time.

  1. You create a SAS token with read permissions for the specific file in your blob container.

  2. You send the SAS URL (which includes the SAS token) to the third-party partner.

  3. The third-party partner can use the URL to download the file before the SAS token expires.

Verification and Practical Security Considerations

Time Limitation

Ensure you set a short expiry time for the SAS token to minimize security risks.

HTTPS Only

Always use HTTPS for secure communication.

IP Restriction

If possible, restrict access to specific IP addresses to enhance security.

Summary

In this practical demonstration, you've:

  1. Created a Blob container in Azure Storage.

  2. Generated a SAS token to delegate access.

  3. Used the SAS URL to allow read access to the blob, securely sharing a file with external parties.

SAS provides fine-grained control over who can access your Azure Storage resources and for how long, without compromising your storage account keys.

 

Related Articles

How to connect Azure Storage Explorer to a Storage Account

How to connect Azure Storage Explorer to a Stor…

To connect Azure Storage Explorer to your Azure Storage…

Learn how to use Shared Access Signatures (SAS) to delegate access to Azure Storage

Learn how to use Shared Access Signatures (SAS)…

Shared Access Signatures (SAS) provide a way to delegat…

Learn about Azure Storage Encryption

Learn about Azure Storage Encryption

Azure Storage provides encryption options to ensure dat…

Learn how to assign Blob Access Tiers in Azure

Learn how to assign Blob Access Tiers in Azure

In Azure Blob Storage, access tiers define the cost and…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.

Featured Courses

Learn Azure DevOps from Scratch for Free

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.

My MCT card (Microsoft)

My Certifications

Rajnish, MCT

Popular Posts

Popular TAGS

AZ-104 (41) Azure (41) Azure Administration (41) Azure ARM Template (2) Azure Bicep (2) Azure Policy (2) Azure RBAC (4) Azure Solution Expert (41) Cloud (41) Cloud Administration (41) Microsoft Azure (41) Microsoft Entra (11)

Popular Category

Azure Backup (29) Azure Compute (63) Azure DevOps (351) Azure Fundamentals (14) Azure Governance (12) Azure Identity (14) Azure Monitoring (40) Azure Storage (51) Azure Virtual Networks (48)

Table Of Content

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Unlock the full potential of Azure Cloud with me
– Your trusted guide to Azure mastery!

SUBSCRIBE

My newsletter for exclusive content and offers. Type email and hit Enter.

No spam ever. Unsubscribe anytime.
Read the Privacy Policy.

Follow me on social media

Stay ahead of the curve
with the latest Azure tips, trends, and updates.

LinkedIn -|- GitHub -|- YouTube -|- Facebook -|- Twitter-|- Pinterest -|- Instagram