Hands-on – Delegate access to Azure Storage using Shared Access Signatures

Let's go through a practical demonstration on how to use Shared Access Signatures (SAS) to delegate access to Azure Storage.

In this example, we'll focus on Azure Blob Storage.

The steps will include.

1. Creating a Blob Container in Azure Storage

2. Generating a SAS Token for the Blob Container

3. Accessing the Blob via SAS URL

Step 1: Create a Blob Container in Azure Storage

1. Login to Azure Portal

2. Navigate to Storage Account

In the portal, click on Storage accounts and select the storage account you want to use.

If you don't have one, create it by following the steps:

• Click + Create > Storage Account.

• Enter the required details (Subscription, Resource group, Name, etc.) and click Review + Create.

3. Create a Blob Container

• After selecting your storage account, go to the Containers tab under the Blob Service section.

• Click + Container to create a new container.

• Name the container (e.g., my-shared-container), and set the Public Access Level to Private (for restricted access).

• Click Create.

Step 2: Generate a SAS Token for the Blob Container

1. Go to Shared Access Signature in Storage Account

In your storage account, go to the Settings section on the left-hand menu and click on Shared access signature.

2. Configure SAS Token Settings

Permissions

Choose the permissions you want to assign.

For this example, select Read (r) to allow access to blobs.

Start and Expiry Time

Set the start time and expiry time for the SAS token.

For example:

• Start time: Set it to current time.

• Expiry time: Set it to 1 hour from the current time.

Allowed IP Address Range

Optionally, specify a range of IP addresses that can use this SAS token.

Allowed Protocols

Select HTTPS Only for secure access.

After configuring the settings, click Generate SAS token and URL.

3. Copy SAS Token

Copy the SAS token and URL that gets generated.

This SAS URL will allow access to the specific blob container with the specified permissions.

The SAS URL will look like:

xxxxxxxxxx
1
1
https://<your-storage-account-name>.blob.core.windows.net/my-shared-container?<sas-token>

Step 3: Access the Blob via SAS URL

1. Upload a File to the Blob Container (Optional)

• Go to the Containers section in your storage account.

• Select the container my-shared-container.

• Click Upload, select a file (e.g., a .txt file), and upload it.

2. Access the Blob Using the SAS URL

• Open a web browser.

• Paste the SAS URL you copied earlier into the browser.

• You should be able to access the file you uploaded to the container directly (if you provided read access).

For example, if the SAS URL is:

xxxxxxxxxx
1
1
https://mystorageaccount.blob.core.windows.net/my-shared-container/my-file.txt?sv=2021-01-01&st=2024-11-30T10%3A00%3A00Z&se=2024-11-30T11%3A00%3A00Z&sp=r&sig=<signature>

You can open the file directly in the browser.

If the SAS token has expired or lacks the right permissions, you will see an error message.

Step 4: Revoke or Modify SAS Token (if needed)

Regenerate Account Keys

If you want to revoke a SAS token created using your account keys, you can regenerate the storage account keys.

Modify Access Policy

If you're using a stored access policy, you can update the policy or delete it, which will invalidate SAS tokens associated with it.

Example Use Case

Let’s imagine you want to share a file with a third-party partner, allowing them only to download the file for a limited time.

1. You create a SAS token with read permissions for the specific file in your blob container.

2. You send the SAS URL (which includes the SAS token) to the third-party partner.

3. The third-party partner can use the URL to download the file before the SAS token expires.

Verification and Practical Security Considerations

Time Limitation

Ensure you set a short expiry time for the SAS token to minimize security risks.

HTTPS Only

Always use HTTPS for secure communication.

IP Restriction

If possible, restrict access to specific IP addresses to enhance security.

Summary

In this practical demonstration, you've:

1. Created a Blob container in Azure Storage.

2. Generated a SAS token to delegate access.

3. Used the SAS URL to allow read access to the blob, securely sharing a file with external parties.

SAS provides fine-grained control over who can access your Azure Storage resources and for how long, without compromising your storage account keys.