Learn about Azure Storage Access Control using Shared Access Signatures (SAS)

Written by

Under the topic

Dated:

January 29, 2023

Table Of Content

Shared Access Signatures (SAS) in Azure Storage provide secure, delegated access to resources within your Azure Storage account.

With SAS, you can specify permissions, time duration, and the exact resources a user or application can access, without sharing your account keys.

Here’s a detailed guide on how to control access to Azure Storage with SAS.

Step 1: Understand SAS Types

There are three types of SAS in Azure:

1. User Delegation SAS

Requires Azure AD credentials.
More secure and allows role-based access control (RBAC).
Available for Blob storage.

2. Service SAS

Delegates access to specific storage services (e.g., Blob, File, Queue, Table).
Uses the storage account's shared key for authentication.

3. Account SAS

Provides access to multiple services in the storage account (e.g., Blob, File, Queue, Table).
Grants broader access than Service SAS.

Step 2: Decide on the Scope and Permissions

Determine:

Which resource to grant access (e.g., Blob, File Share, Queue, or Table).
Level of permissions:
- Read: Allows reading data.
- Write: Allows creating or updating data.
- Delete: Allows deleting data.
- List: Allows listing contents of a container or directory.
- Add/Update/Create: Specific to queues and tables.
Duration of access: Start and expiry times.

Step 3: Generate SAS

Option 1: Generate SAS in Azure Portal

1. Navigate to your Storage Account

Open the Azure portal and go to your storage account.

2. Choose a Resource

Select Blob containers, File shares, Queues, or Tables based on the resource you want to share.

3. Shared Access Signature

Go to the Shared access signature option in the left-hand menu.
Configure:
- Permissions (Read, Write, Delete, etc.).
- Start and expiry time.
- Allowed IP ranges.
- Allowed protocols (HTTP/HTTPS or HTTPS only).
Click Generate SAS token and URL.

4. Copy the SAS Token or URL

Share the SAS URL with authorized users or applications.

Option 2: Generate SAS via Azure Storage Explorer

Open Azure Storage Explorer.
Right-click on a resource (e.g., a blob or container) and select Get Shared Access Signature.
Configure permissions, duration, and restrictions.
Copy the generated SAS token or URL.

Option 3: Generate SAS using Azure CLI

Use the Azure CLI to generate SAS:


xxxxxxxxxx
8
1
az storage blob generate-sas \
2
--account-name <storage-account-name> \
3
--container-name <container-name> \
4
--name <blob-name> \
5
--permissions r \
6
--expiry 2024-12-31T23:59:00Z \
7
--https-only \
8
--output tsv

This command generates a SAS token for a blob with read-only access, valid until the specified expiry date.

Option 4: Generate SAS using Azure SDKs

Use the Azure SDKs (e.g., Python, C#, Java) to programmatically generate SAS tokens.

Step 4: Secure SAS Usage

1. Use HTTPS

Always select "HTTPS only" to ensure secure communication.

2. IP Restrictions

Limit access to specific IP addresses or ranges to minimize unauthorized use.

3. Minimum Expiry Duration

Set short expiry durations for temporary access to reduce risks.

4. Restrict Permissions

Only grant the minimum permissions required.

Step 5: Revoke SAS if Necessary

To revoke access to a resource shared with SAS:

1. Regenerate Account Keys

If the SAS is based on the storage account key, regenerating the key invalidates all SAS tokens derived from it.
Navigate to Access keys in the storage account settings and regenerate keys.

2. For User Delegation SAS

Adjust the Azure AD policies or revoke the specific role assignments.

Step 6: Monitor SAS Usage

Use Azure Monitor and Storage Analytics Logging to track SAS token usage.
Set up alerts for suspicious or excessive access patterns.

Example Scenarios

1. Provide Temporary Blob Access for Downloads

Generate a Service SAS URL for a specific blob with read-only access.
Set the expiry time for a few hours and share the URL.

2. Secure Data Uploads

Use a Service SAS URL for a blob container with write-only permissions.
Specify allowed IP addresses to restrict access to trusted clients.

Generate an Account SAS with permissions for the file share.
Restrict access to specific IP ranges.

Summary

By carefully defining and securing SAS tokens, you can efficiently control access to Azure Storage resources while maintaining flexibility and security.

Learn how to create File Share Snapshots in Azure

Creating file share snapshots in Azure is straightforwa…

Let’s explore Azure Storage services in A…

Azure Storage is a cloud-based storage service that is …

Explore the different Replication Strategies in…

Azure Storage offers several replication strategies to …

How to strategies Azure Storage security

Reviewing Azure Storage security strategies ensures you…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.