Scribd
Upload
7 views2 pages

Implementing Shared Access Signatures

A Shared Access Signature (SAS) is a URI that allows controlled access to resources in a storage account without compromising account keys, offering granular control over resource access, permissions, and validity duration. Azure Storage supports three types of SAS: User delegation SAS, Service SAS, and Account SAS, each with different security measures and scopes. Additionally, stored access policies provide further control over SAS permissions and can be used to manage and revoke access after issuance.

Uploaded by

Mahmud Rayhan Shajib
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
7 views2 pages

Implementing Shared Access Signatures

A Shared Access Signature (SAS) is a URI that allows controlled access to resources in a storage account without compromising account keys, offering granular control over resource access, permissions, and validity duration. Azure Storage supports three types of SAS: User delegation SAS, Service SAS, and Account SAS, each with different security measures and scopes. Additionally, stored access policies provide further control over SAS permissions and can be used to manage and revoke access after issuance.

Uploaded by

Mahmud Rayhan Shajib
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Shared Access Signature(SAS)

A Shared Access Signature (SAS) is a Uniform Resource Identifier (URI) that grants
controlled
access rights and secure delegated access to resources in a storage account.
It is a secure way to share your storage resources without compromising your
account keys.
With this, you have granular control over how a client can access your data. Like a
few below
● What resources the client may access?
● What permissions do they have to those resources?
● How long is the SAS valid?
Azure Storage supports three types of shared access signatures:
◆ User delegation SAS is secured with Microsoft Entra ID credentials and
permissions
specified for SAS. User delegation applies only to SAS blob storage.
For more information pls refer to —> Create a user delegation SAS (REST API).
--Back to Index-- 40
◆ Service SAS is secured with the storage account key. A service SAS delegates
access to a
resource in only one of the Azure Storage services.
For more information pls refer to this link —> Create a service SAS (REST API).
◆ Account SAS is secured with the storage account key. An account SAS delegates
access to
resources in one or more of the storage services.
For more information pls refer to this link —> Create an account SAS (REST API).
URI and SAS parameters:
When you create your Shared Access Signature (SAS), a Uniform Resource Identifier
(URI) is
created by using parameters and tokens. The URI contains your Azure Storage
resource URI
and the SAS token.
Example: Configure a shared access signature - (Source : Microsoft
Documentation)
In the Azure portal, you configure several settings to create SAS. As you review
these details,
consider how you can implement shared access signatures in your storage security
solution.
(Source: Shared access signatures to delegate access)
--Back to Index-- 41
Stored Access Policies
A stored access policy provides an additional level of control over service-level
shared access
signatures (SASs) on the server side. Setting up a stored access policy can be used
to group
shared access signatures and provide additional restrictions for policy-bound
signatures.
You can use a stored access policy to change permissions for the start time,
expiration time, or
signature. You can also use a stored access policy to revoke a signature after
issuing it.
Stored access policies support → Blob containers, File shares,
Queues, and Tables.
Example: The stored access policy you create for a blob container can be used for
all the blobs
in the container and for the container itself. A stored access policy is created with
the following
properties:
● Identifier: The name you use to reference the stored access policy.
● Start time: A DateTimeOffset value for the date and time when the policy
might start to be
used. This value can be null.
● Expiry time: A DateTimeOffset value for the date and time when the policy
expires. After this
time, requests to the storage will fail with a 403 error-code message.
● Permissions: The list of permissions as a string that can be one or all of acdlrw.
You can create stored access policy with C# code by using Azure Portal /Azure CLI
commands

You might also like