Published on

June 5, 2022

Providing Limited Access to Azure Storage Accounts with Shared Access Signatures (SAS) and Access Policy

Introduction:

When it comes to providing access to files from your Azure storage account container, there are a few options available. Sharing the access key may not be the best choice as it compromises security. Azure Active Directory Authentication is another option, but it may not always be accessible to the client. In this article, we will explore the use of shared access signatures (SAS) and Access Policy to provide limited access to Azure storage account resources.

Shared Access Signature:

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. With SAS, you have fine-grained control over how a client can access your data. By distributing a shared access signature URI to clients, you can grant them access to a resource for a specified period of time. This includes specifying the services the client may access, the permissions they have to those resources, and the validity period of the SAS.

Let’s assume we want to share a file called “Animal.pdf” from our Azure storage container. To generate a SAS for this file, we can follow these steps:

  1. Right-click on the file and select the “Generate SAS” option.
  2. Provide the necessary details to create the SAS, such as the signing method, signing key, permissions, start and expiry date/time, allowed IP addresses, and allowed protocols.
  3. The blob SAS token and blob SAS URL will be created.

We can now access the file from the browser using the blob SAS URL.

However, it’s important to note that shared access signatures do not track the number of times they have been generated for a storage account. If you need to keep track of this information, you will need to do so manually.

Access Policy:

To provide an additional layer of security to our resources, we can create an Access Policy in the storage account container. This can be done by following these steps:

  1. Go to the settings option and click on “Add policy” inside the Stored Access Policy section.
  2. Provide the necessary details for the policy, such as the identifier, permissions, start time, and expiry time.
  3. Save the policy.

Now, when creating the SAS again, we can select the access policy we created earlier. This ensures that the permissions, start time, and expiry date/time are inherited from the stored access policy.

If we want to revoke access to the shared file, we can simply edit the access policy and set an old date in the expiry time. This will render the access policy invalid and the file will no longer be accessible.

Conclusion:

By utilizing shared access signatures (SAS) and Access Policy, we can provide limited access to Azure storage account resources. SAS allows us to grant restricted access rights to specific resources for a specified period of time, while Access Policy provides an additional layer of control over the shared access signature. With these tools, we can easily manage access to our storage account resources and ensure the security of our data.

Click to rate this post!
[Total: 0 Average: 0]

Let's work together

Send us a message or book free introductory meeting with us using button below.