Hands-on guide to delegating access to Azure Storage with stored access policies

Let's walk through a practical demonstration on how to use stored access policies to delegate access to Azure Storage, specifically for Blob Storage.

We'll create a stored access policy on a blob container, then generate a SAS token tied to this policy to share access with others.

Scenario

We have a storage account with a container named documents.

We'll use a stored access policy to grant read-only access to a specific blob (report.pdf) for a limited period.

Step-by-Step Practical Demonstration

Step 1: Create a Storage Account (If not already created)

1. Go to the Azure Portal.

2. In the search bar, type and select Storage Accounts.

3. Click on + Create to create a new storage account.

4. Fill in the required fields:

   • Subscription: Choose your subscription.

   • Resource Group: Select an existing resource group or create a new one.

   • Storage Account Name: Choose a unique name for your storage account.

   • Region: Select your desired region.

5. Click Review + Create, then Create.

Step 2: Create a Blob Container

1. Go to the Storage Account you just created.

2. Under Data Storage, select Containers.

3. Click on + Container to create a new container.

4. Name the container documents (or any name you prefer).

5. Set the Access Level to Private (no anonymous access).

6. Click Create.

Step 3: Upload a Blob to the Container

1. Inside the documents container, click on Upload.

2. Choose a file to upload (e.g., report.pdf).

3. Click Upload to add the file to the container.

Step 4: Create a Stored Access Policy

Now, we'll create a stored access policy that will control access to the blob.

1. In the Azure Portal, navigate to the documents container.

2. Click on the Access policies tab at the top.

3. Click + Add policy to create a new stored access policy.

4. Set the following options:

   • Policy Name: ReadOnlyPolicy

   • Permissions: Select Read (r) to allow read-only access.

   • Start Time: Leave it blank or set a start time (optional).

   • Expiry Time: Set the expiry time to control when the SAS token expires (e.g., 1 hour from now).

   • IP Address Range: (Optional) Limit access to a specific range of IPs.

   • Allowed Protocols: Choose HTTPS only for secure access.

5. Click Save to create the policy.

Step 5: Generate a SAS Token Using the Stored Access Policy

Now that we've created a stored access policy, we'll generate a SAS token linked to this policy.

1. In the documents container, click on the Generate SAS button.

2. In the SAS Generation window:

   • Under Signature, select Stored Access Policy.

   • From the drop-down, choose the ReadOnlyPolicy we just created.

   • Set the Permissions (e.g., r for read access).

   • Set the Expiry Time (ensure it matches or is before the stored access policy's expiration).

3. Click Generate SAS and connection string.

4. Copy the SAS URL or SAS token generated.

Example SAS URL:

xxxxxxxxxx
1
1
https://<storage-account-name>.blob.core.windows.net/documents/report.pdf?sv=2021-01-01&st=2024-11-30T10%3A00%3A00Z&se=2024-11-30T11%3A00%3A00Z&sr=b&sp=r&sig=<signature>

This SAS URL allows read-only access to the report.pdf blob for one hour, after which the access will be revoked.

Step 6: Share the SAS URL

Now, you can share the SAS URL with anyone who needs access to the report.pdf blob.

They will be able to access the blob as per the permissions (in this case, read-only) for the duration of the SAS token’s validity.

To test it:

1. Open the SAS URL in a browser.

2. The report.pdf file will be available for download but cannot be modified.

Step 7: Modify or Revoke Access via Stored Access Policy

To modify or revoke access granted through a stored access policy:

Modify the Stored Access Policy

1. Go to the documents container in the Azure Portal.

2. Click on the Access policies tab.

3. Select the ReadOnlyPolicy.

4. Click Edit to modify the permissions, start time, or expiry time.

5. After editing, click Save to apply the changes.

Delete the Stored Access Policy (Revoke Access)

1. In the Access policies tab, select the ReadOnlyPolicy.

2. Click Delete to remove the policy.

3. Once deleted, any existing SAS tokens associated with this policy will be invalidated, effectively revoking access.

Advantages of Using Stored Access Policies

Centralized Control

Manage access permissions centrally through the policy, rather than generating new SAS tokens for each user.

Easier Revocation

If you want to revoke access, just delete the policy and invalidate all SAS tokens tied to it.

Flexible

You can update the policy to change permissions or expiration dates, and those changes automatically apply to all SAS tokens using the policy.

Summary of the Process

1. Create a Storage Account and Blob Container.

2. Upload a blob (e.g., report.pdf).

3. Create a Stored Access Policy with specific permissions (e.g., read-only).

4. Generate a SAS token that is linked to the stored access policy.

5. Share the SAS URL with users to allow them to access the blob.

6. If needed, modify or delete the stored access policy to control or revoke access.

By using stored access policies in Azure Storage, you have more control and flexibility over delegating and managing access securely and efficiently.