A Shared Access Signature (SAS) in Azure allows secure, time-limited access to resources in a storage account without exposing the storage account's access keys.
Here’s a step-by-step guide to creating a SAS.
Prerequisites
You need an Azure Storage account.
Ensure you have the required permissions to create SAS tokens:
Account SAS: Requires access keys for the storage account.
Service SAS or User Delegation SAS: Requires relevant permissions via Azure RBAC roles (e.g., Storage Blob Data Contributor).
Types of Shared Access Signatures
Account SAS
Provides access to all services in the storage account.
Service SAS
Provides access to specific storage resources (e.g., blob, file, queue).
User Delegation SAS
Uses Azure AD and is generated based on Azure AD credentials.
Generate a SAS Using Azure Portal
Steps for an Account SAS or Service SAS
Log into Azure Portal.
Navigate to your Storage Account.
Go to Settings > Shared access signature.
Configure the following settings:
Allowed Services: Select the services (Blob, File, Queue, Table) the SAS applies to.
Allowed Resource Types: Choose resource types (Service, Container, Object) to include.
Permissions: Specify permissions like Read, Write, Delete, etc.
Start/Expiry Time: Set a validity period for the SAS token.
IP Ranges: Optionally restrict the SAS to specific IP addresses.
Protocol: Choose HTTPS only or HTTPS and HTTP.
Click Generate SAS and Connection String.
Copy the SAS token or the connection string for use.
Generate a SAS Using Azure Storage Explorer
Download and install Azure Storage Explorer if not already installed.
Connect your storage account using account keys or Azure AD credentials.
Right-click on a specific resource (e.g., container, file, or blob) and select Get Shared Access Signature.
Configure the permissions, expiry time, and protocols.
Click Create and copy the generated SAS token or URL.
Generate a SAS Using Azure CLI
Use the Azure CLI to generate a SAS token. Here’s an example for a blob container:
xxxxxxxxxx61az storage container generate-sas \2--account-name <StorageAccountName> \3--name <ContainerName> \4--permissions rwd \5--expiry <YYYY-MM-DDTHH:MM:SSZ> \6--account-key <StorageAccountKey>This generates a SAS token for the specified container.
For a user delegation SAS, replace --account-key with a --auth-mode parameter:
xxxxxxxxxx71az storage blob generate-sas \2--account-name <StorageAccountName> \3--container-name <ContainerName> \4--name <BlobName> \5--permissions r \6--expiry <YYYY-MM-DDTHH:MM:SSZ> \7--auth-mode loginGenerate a SAS Using Azure PowerShell
Run the following example for a blob container:
xxxxxxxxxx91$context = New-AzStorageContext `2-StorageAccountName <StorageAccountName> `3-StorageAccountKey <StorageAccountKey>4
5New-AzStorageContainerSASToken `6-Context $context `7-Name <ContainerName> `8-Permission rwd `9-ExpiryTime <ExpirationTime>SAS Token Usage
SAS Token
Append the generated SAS token to your resource URL.
For example:
xxxxxxxxxx11https://<StorageAccountName>.blob.core.windows.net/<ContainerName>/<BlobName>?<SASToken>Connection String
Use the SAS token in your applications’ connection string to access Azure Storage securely.
Best Practices
Use User Delegation SAS for enhanced security with Azure AD.
Limit permissions and expiry time to the minimum necessary.
Use HTTPS to secure communication.
Regularly audit and revoke unused SAS tokens.
Summary
By following these steps and best practices, you can create and use SAS tokens securely in Azure.
Leave a Reply