How to use stored access policies to delegate access to Azure Storage

Using Stored Access Policies with Shared Access Signatures (SAS) in Azure Storage allows you to create a policy that controls the permissions, start time, expiry time, and other properties for a set of SAS tokens.

This is useful because it centralizes the management of SAS tokens, enabling easier updates and revocation without needing to regenerate SAS tokens for each resource.

Here’s how to delegate access to Azure Storage using stored access policies.

Understand Stored Access Policies

A stored access policy is an object stored in an Azure Storage container that defines:

• Permissions: Read, Write, Delete, List, etc.

• Start and Expiry Time: Time window during which the SAS token is valid.

• IP Range: Optionally restrict access to specific IP addresses.

• Allowed Protocols: Allow access via HTTPS only or both HTTP and HTTPS.

Once a stored access policy is created, you can associate one or more SAS tokens with it.

This allows you to manage access from a single point (the stored access policy), and update or revoke access easily.

Create a Stored Access Policy

To create a stored access policy, you'll need to create or choose a container in your Azure Storage account.

You can create a stored access policy either through the Azure Portal, Azure CLI, or Azure PowerShell.

Step-by-Step Guide to Create a Stored Access Policy

Option 1: Create Stored Access Policy via Azure Portal

1. Navigate to Your Storage Account:

   • Go to the Azure Portal.

   • Select your Storage Account.

2. Create a Container (if you don’t have one):

   • Under Data Storage, select Containers.

   • Create a new container (e.g., documents).

3. Create a Stored Access Policy:

   • Click on the container (e.g., documents).

   • In the container’s menu, click Access control (IAM) > Shared access signature.

   • Scroll down to Stored access policies and click + Policy to create a new policy.

   • Set the following options for the policy:

     • Policy Name: A descriptive name (e.g., read-policy).

     • Permissions: Select permissions like Read, Write, List, etc.

     • Start Time: The time when the SAS will become valid (optional).

     • Expiry Time: The time when the SAS will expire.

     • IP Range: Optionally restrict access to specific IP ranges.

     • Allowed Protocols: Select HTTPS only to ensure secure access.

   • Click Save to create the stored access policy.

Option 2: Create Stored Access Policy via Azure CLI

You can create a stored access policy for a container using the Azure CLI. Here’s an example command:

xxxxxxxxxx
8
1
az storage container policy create \
2
--account-name <storage-account-name> \
3
--container-name <container-name> \
4
--policy-name <policy-name> \
5
--permissions r \
6
--expiry <expiry-time> \
7
--start <start-time> \
8
--https-only

For example:

xxxxxxxxxx
8
1
az storage container policy create \
2
--account-name mystorageaccount \
3
--container-name documents \
4
--policy-name read-policy \
5
--permissions r \
6
--expiry 2024-12-31T23:59:59Z \
7
--start 2024-11-30T00:00:00Z \
8
--https-only

This will create a policy named read-policy that grants read permission starting from November 30, 2024 and expiring on December 31, 2024.

Generate SAS Token Using Stored Access Policy

After creating a stored access policy, you can generate SAS tokens that are associated with that policy.

The benefit is that you don’t need to manually set permissions or time parameters in each SAS token; they are inherited from the stored policy.

Step-by-Step Guide to Generate a SAS Token Using a Stored Access Policy

Option 1: Generate SAS Token via Azure Portal

1. Go to your container (e.g., documents).

2. Under the container settings, select Shared access signature.

3. In the Stored access policies section, select the policy you want to use (e.g., read-policy).

4. Generate SAS Token:

   • Select Generate SAS.

   • You’ll get the SAS URL which includes the token that is linked to the stored access policy.

Option 2: Generate SAS Token via Azure CLI

To generate a SAS token using the stored access policy, you can use the following Azure CLI command:

xxxxxxxxxx
6
1
az storage blob generate-sas \
2
--account-name <storage-account-name> \
3
--container-name <container-name> \
4
--name <blob-name> \
5
--policy-name <policy-name> \
6
--output tsv

For example:

xxxxxxxxxx
6
1
az storage blob generate-sas \
2
--account-name mystorageaccount \
3
--container-name documents \
4
--name report.pdf \
5
--policy-name read-policy \
6
--output tsv

This generates a SAS token for the blob report.pdf in the documents container based on the read-policy stored access policy.

Share the SAS Token

Once you’ve generated the SAS token, you can share the SAS URL with the users who need access.

The SAS token will grant them permissions as defined in the stored access policy (e.g., read-only access to the blob until the specified expiration).

The SAS URL will look like this:

xxxxxxxxxx
1
1
https://<storage-account-name>.blob.core.windows.net/documents/report.pdf?<SAS-token>

Monitor and Update/Revoking Stored Access Policies

One of the main advantages of using stored access policies is the ease of management.

You can update or revoke access for multiple SAS tokens associated with a stored access policy at once.

Monitoring SAS Usage

Use Azure Monitor or Storage Analytics to track access and ensure the policy is being used correctly.

Updating Stored Access Policies

If you need to update a stored access policy (for example, change the expiry time or permissions), you can update the policy directly in the Azure Portal or via Azure CLI.

Revoking Access

To revoke access granted by a stored access policy, simply delete or modify the stored access policy.

Any SAS tokens associated with the deleted policy will no longer be valid.

To delete a stored access policy using Azure CLI:

xxxxxxxxxx
4
1
az storage container policy delete \
2
--account-name <storage-account-name> \
3
--container-name <container-name> \
4
--policy-name <policy-name>

For example:

xxxxxxxxxx
4
1
az storage container policy delete \
2
--account-name mystorageaccount \
3
--container-name documents \
4
--policy-name read-policy

Best Practices for Using Stored Access Policies

Least Privilege

Always set the minimum required permissions (read, write, list, etc.).

Expiration Dates

Set appropriate expiration dates to limit how long the SAS token is valid.

HTTPS Only

Enforce secure access by restricting the protocol to HTTPS.

IP Restrictions

Use IP range restrictions to further limit access to trusted networks.

Centralized Management

Since stored access policies can be reused across multiple SAS tokens, they provide a centralized way to manage permissions.

Use Cases for Stored Access Policies

1. Delegating Access to Specific Resources

Grant temporary or controlled access to certain blobs or files in a container while maintaining centralized control.

2. Managing Multiple SAS Tokens

Create a stored access policy to manage access to multiple blobs or containers under the same policy.

3. Access for External Partners

Share SAS URLs for external partners with controlled permissions (e.g., read-only access to a shared file).

4. Long-term Use

For applications that need to generate SAS tokens over time, stored access policies provide consistency and central management.

Summary

• Stored Access Policies are a way to centralize the management of SAS tokens by setting permissions, expiration times, and other parameters at the container level.

• You can easily generate SAS tokens linked to the stored access policy and share them securely with users.

• Stored access policies make it easier to update or revoke access across multiple resources in a container without needing to regenerate individual SAS tokens.