Stored access policies in Azure Storage allow you to create a reusable access policy that is associated with a container or blob and provides greater flexibility when using Shared Access Signatures (SAS).
By using a stored access policy, you can control and revoke access more easily, as the SAS tokens are tied to the policy, and any changes to the policy (such as expiration or permissions) automatically affect all associated SAS tokens.
Scenario
You want to share access to a blob container or a specific blob with multiple users, and you want to be able to easily manage and revoke access without having to regenerate SAS tokens manually.
Steps to Use Stored Access Policies to Delegate Access
1. Create a Stored Access Policy
A stored access policy is created on a container and defines the permissions and expiration date for SAS tokens.
Step 1: Navigate to Your Storage Account
Go to the Azure Portal.
Navigate to the Storage Account that contains the blob container or resource you want to delegate access to.
Step 2: Create a Stored Access Policy on a Container
Go to Containers under the Data Storage section.
Select the container for which you want to create the stored access policy.
Click on the Access policies tab on the container settings page.
Click + Add policy to create a new access policy.
Step 3: Configure the Stored Access Policy
In the Add access policy panel, define the following settings:
Policy Name: Give the policy a name (e.g.,
AccessPolicy1).Permissions: Select the permissions you want to assign to the stored access policy (e.g., Read (
r), Write (w), Delete (d), etc.).Start Time: (Optional) Specify the start time of the policy.
Expiry Time: Define when the policy should expire. This sets the expiry date for SAS tokens created with this policy.
IP Address Restrictions: (Optional) Limit access to specific IP addresses or ranges.
Allowed Protocols: You can choose HTTPS only for secure access.
Click Save to create the stored access policy.
2. Generate a SAS Token Using the Stored Access Policy
Once the stored access policy is created, you can generate a SAS token that is linked to this policy.
Step 1: Generate SAS Token from Access Policy
In the Azure Portal, go to the Blob Container where the stored access policy is created.
Click Generate SAS.
In the SAS Generation pane, select Stored Access Policy under the Signature section.
From the list of available policies, select the policy you created (e.g.,
AccessPolicy1).Set the permissions (read, write, etc.) based on what you want the SAS token to allow.
Set the start time and expiry time based on the stored access policy's configuration.
Click Generate SAS and connection string.
Copy the SAS token or SAS URL to share with the recipient.
Example of a SAS URL with stored access policy:
xxxxxxxxxx11://<-->..../<->/<->?=2021-01-01&st=2024-11-30%3A00%3A00Z&se=2024-12-01%3A00%3A00Z&sr=&sp=&sig=<>3. Use the SAS Token for Access
The recipient can use the SAS URL to access the container or blob, depending on the permissions defined in the stored access policy.
Since the SAS is tied to the stored access policy, any change to the policy (e.g., modifying permissions or expiration) will automatically apply to any existing SAS tokens generated using that policy.
4. Modify or Revoke Access via the Stored Access Policy
One of the key benefits of using stored access policies is that they make it easier to manage access.
If you want to revoke or modify access for multiple users at once, you can simply modify the access policy.
Modify the Access Policy
In the Azure Portal, go to the Blob container where you created the stored access policy.
Click Access policies.
Select the policy you want to modify (e.g.,
AccessPolicy1).Click Edit to modify the permissions, start time, or expiry time.
Click Save to apply the changes.
Revoke Access by Deleting the Stored Access Policy
In the Azure Portal, go to the Blob container where you created the stored access policy.
Click Access policies.
Select the policy you want to delete.
Click Delete to remove the policy.
When you delete the stored access policy, any existing SAS tokens created with that policy will be invalidated, and access will be revoked.
Example Use Case
Suppose you want to share a blob container with several users, but you want to manage access centrally.
You can:
Create a stored access policy with the required permissions (e.g., read-only access).
Generate SAS tokens for each user using this policy.
If you need to modify access (e.g., extend the expiration or change permissions), you simply update the stored access policy.
If you need to revoke access, you can delete the policy, and all associated SAS tokens will no longer be valid.
Advantages of Using Stored Access Policies
Centralized management
Easier to manage access because you can modify or revoke access by simply modifying the stored access policy.
Granular control
Fine-grained control over permissions and access duration.
No need to regenerate SAS tokens
You don’t need to regenerate SAS tokens every time you want to change permissions or expiry dates—just modify the stored access policy.
Revocation
Deleting a stored access policy will invalidate all SAS tokens linked to it.
Best Practices
Use stored access policies for complex scenarios
When you need to delegate access to multiple users or services and need to have centralized control over permissions.
Set appropriate expiry times
Always specify an expiry date for your SAS tokens and stored access policies to minimize the risk of overexposure.
Use HTTPS
Always require HTTPS for accessing resources to ensure secure communication.
Limit permissions
Only grant the minimum necessary permissions in the stored access policy (e.g., read-only if the user doesn’t need write access).
Summary
By using stored access policies in conjunction with SAS tokens, you gain much more control over delegated access to your Azure Storage resources, making it easier to manage permissions, modify access, and revoke access when needed.
Leave a Reply