Demonstrating the Azure Storage access delegation using Shared Access Signatures

Written by

Under the topic

Dated:

February 25, 2024

Table Of Content

To provide a practical demonstration of how to use Shared Access Signatures (SAS) to delegate access to Azure Storage, let's walk through a simple example where we grant access to a blob within a blob container for read-only access using a SAS token.

Scenario

We have an Azure Storage Account with a Blob container called documents, and we want to share a specific blob named report.pdf for read-only access with someone.

We will generate a SAS token that grants them access to the report.pdf blob for a limited time.

Step-by-Step Demonstration

Step 1: Create an Azure Storage Account (if you don’t have one)

Go to the Azure Portal.
Navigate to Storage Accounts > Add.
Provide the required details (e.g., name, region, performance) and create the account.

Step 2: Create a Blob Container

After your storage account is created, go to the Storage Account in the Azure portal.
Under Data Storage, select Containers.
Click + Container to create a new container.
Name the container (e.g., documents), and set the access level to Private (no anonymous access).

Step 3: Upload a Blob (report.pdf)

Inside the documents container, click Upload.
Choose a file to upload, such as a PDF named report.pdf.
Click Upload to upload the file to the container.

Step 4: Generate a SAS Token for the Blob

Now, we will generate a Service SAS for the blob (report.pdf) with read-only permissions.

Method 1: Generate SAS via Azure Portal

Go to the Storage Account and then the Containers section.
Select the documents container, and click on the blob report.pdf.
On the top menu, click Get Shared Access Signature.
In the SAS configuration pane, set the following:
- Permissions: Select Read (r).
- Start and Expiry Time: Set the expiry date to something in the future (e.g., 1 day from now).
- Allowed IP addresses: (Optional) Set restrictions if needed, or leave it blank for open access.
- Allowed protocols: Select HTTPS only for secure access.
Click Generate SAS and URL.
Copy the generated SAS URL to share with the recipient.

Example of a SAS URL:


xxxxxxxxxx
1
1
https://<storage-account-name>.blob.core.windows.net/documents/report.pdf?sv=2021-01-01&st=2024-11-30T00%3A00%3A00Z&se=2024-12-01T00%3A00%3A00Z&sr=b&sp=r&sig=<signature>

Method 2: Generate SAS via Azure CLI

You can also use the Azure CLI to generate the SAS token for the blob.

Here's the CLI command:


xxxxxxxxxx
8
1
az storage blob generate-sas \
2
--account-name <storage-account-name> \
3
--container-name documents \
4
--name report.pdf \
5
--permissions r \
6
--expiry 2024-12-01T00:00:00Z \
7
--https-only \
8
--output tsv

This will output the SAS token. Combine it with the blob URL to create a full SAS URL.

Example:


xxxxxxxxxx
1
1
https://<storage-account-name>.blob.core.windows.net/documents/report.pdf?<SAS-token>

Now, you can share the SAS URL with the person you want to delegate access to.
The recipient can use the SAS URL to download the report.pdf blob, but they will only have read-only access until the SAS token expires.

Step 6: Verify the Access

To test the SAS token, paste the SAS URL into a browser or use a tool like Postman to make an HTTP request.
The recipient should be able to download the report.pdf file, but they won’t be able to upload, modify, or delete the file because the SAS token only grants read (r) permissions.

Step 7: Monitor and Revoke Access (if necessary)

Monitoring

Use Azure Monitor or Storage Analytics to keep track of SAS usage.

Revoking access

If you need to revoke access before the expiry date, you can regenerate the storage account keys (which will invalidate SAS tokens generated with those keys), but this is a drastic measure and should be done carefully.

Practical Example of Using the SAS URL

Suppose you want to share the report.pdf file with a colleague, and you generate the SAS URL.

The colleague would simply:

Open the SAS URL in their browser.
The file report.pdf will be available for download.
They can download it, but not modify it.

Summary

SAS tokens are time-bound, and you should always limit the expiration period to only what is necessary.
You can define permissions such as read, write, delete, or list to control access.
Always use HTTPS to ensure secure access.
IP restrictions can be set to limit access to specific addresses or address ranges.

By using SAS tokens, you can securely share Azure Storage resources with external parties or applications while maintaining fine-grained control over their access.

Learn about Azure Storage Access Control using …

Shared Access Signatures (SAS) in Azure Storage provide…

How to identify URI and SAS parameters in Azure

Identifying and understanding the components of a URI (…

How to connect Azure Storage Explorer to Azure …

To connect Azure Storage Explorer to Azure Data Lake St…

Learn about Azure Storage Encryption

Azure Storage provides encryption options to ensure dat…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.