Identifying and understanding the components of a URI (Uniform Resource Identifier) with a Shared Access Signature (SAS) in Azure is essential for working with secure access to Azure Storage resources.
Here's how you can identify and interpret the URI and SAS parameters.
Structure of a SAS URI
A SAS URI typically includes:
1. Base URI
The resource's URI in Azure Storage (e.g., a blob, container, file, queue, or table).
2. SAS Token
The query string that contains the parameters defining the access permissions, expiration time, and more.
Example SAS URI:
xxxxxxxxxx11https://<StorageAccountName>.blob.core.windows.net/<ContainerName>/<BlobName>?sv=2021-12-02&ss=b&srt=o&sp=rw&se=2024-12-01T23:59:59Z&st=2024-11-29T00:00:00Z&spr=https&sig=abcdef1234567890Components of a SAS URI
Base URI
Identifies the resource being accessed.
Example
https://<StorageAccountName>.blob.core.windows.net/<ContainerName>/<BlobName>
Query String (SAS Token)
Starts with a ? and includes multiple parameters separated by &.
Key SAS Parameters
| Parameter | Description |
|---|---|
Sv | Storage Service Version: Specifies the API version used to generate the SAS. |
Ss | Services: Specifies the storage services accessible (e.g., b for blob). |
Srt | Resource Types: Specifies the accessible resource types (s, c, o). |
Sp | Permissions: Specifies the allowed permissions (e.g., r, w, d). |
Se | Expiry Time: Specifies when the SAS token expires (in UTC). |
St | Start Time: Specifies when the SAS token becomes valid (in UTC). |
Spr | Protocols: Specifies allowed protocols (https or https,http). |
Sig | Signature: A cryptographic signature generated using the account key. |
Sip | IP Range: Restricts access to specific IP addresses or ranges (optional). |
Sr | Resource: Specifies the type of resource (b for blob, c for container). |
skoid, sktid | Azure AD Parameters: For User Delegation SAS, these identify the Azure AD object. |
Sks | Signed Scope: Scope of access for User Delegation SAS. |
Examples
Blob SAS Example
xxxxxxxxxx11https://myaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2021-12-02&sr=b&sp=r&se=2024-12-01T23:59:59Z&st=2024-11-29T00:00:00Z&spr=https&sig=abcdef1234567890Base URI
https://myaccount.blob.core.windows.net/mycontainer/myblob.txt
SAS Parameters
sv=2021-12-02: API version.sr=b: Resource type is a blob.sp=r: Permission is read.se=2024-12-01T23:59:59Z: Expires on Dec 1, 2024, at 11:59 PM UTC.st=2024-11-29T00:00:00Z: Valid from Nov 29, 2024, at 12:00 AM UTC.spr=https: Requires HTTPS.sig=abcdef1234567890: Signature.
Container SAS Example
xxxxxxxxxx11https://myaccount.blob.core.windows.net/mycontainer?sv=2021-12-02&ss=b&srt=sco&sp=rw&se=2024-12-01T23:59:59Z&spr=https&sig=abcdef1234567890Base URI
https://myaccount.blob.core.windows.net/mycontainer
SAS Parameters
ss=b: Access to blob service.srt=sco: Access to service, container, and object.sp=rw: Permissions for read and write.
Identifying Parameters in Practice
1. Azure Portal
SAS tokens generated via the portal display all parameters clearly in the Shared access signature section.
2. Azure CLI/PowerShell
SAS tokens are returned as output with explicit parameter breakdown.
Example CLI Command:
xxxxxxxxxx61az storage container generate-sas \2--account-name myaccount \3--name mycontainer \4--permissions r \5--expiry 2024-12-01T23:59:59Z \6--account-key <AccountKey>3. Manual Parsing
SAS tokens can be manually parsed by splitting the URI at ? for the base URI and & for individual parameters.
Validating SAS URIs
Inspect Expiry and Start Time
Ensure tokens are valid for the desired time frame.
Check Permissions
Ensure permissions are appropriate for the use case.
Verify Signature (sig) Integrity
Ensure the token hasn't been tampered with by testing access.
Summary
By understanding these components and parameters, you can effectively manage and troubleshoot SAS URIs in Azure Storage.
Leave a Reply