Please go through the following articles to learn more about Storage Account.
- Azure Storage – Basics
- Azure Resource Manage Template: Create A Storage Account Using Blank Template
- Create a Storage Account and learn how to access It Programmatically
- Azure Storage – Creating Blob Container Using Storage Client Library
- Azure Storage Account Why Two Access Keys
- Azure Storage Account – Create Block Blob Programmatically using C#.Net
- Azure – Storage Account – Create a CDN Profile.
In the above articles, we have learnt about Storage Account and how to access the same using Access keys. Access keys are like master passwords for the complete Storage Account.
Before we discuss about Shared Access Signatures, let’s first see few cons in using Storage Account access keys.
- If you have shared the Access key to a developer and developer has left the company, then you would need to regenerate the Access keys which would impact your application.
- You cannot use Access keys for temporarily providing access for a specific period of time.
- You cannot use Access keys to provide access for few of the Storage Account Services say just for blobs or queues with in that Storage Account.
- You cannot provide few permissions like read, write on the Storage services.
You can achieve all of the above which sound like limitations of the Access Keys using Shared Access Signatures.
In this article, we will learn about Shared Access Signatures.
Navigate to your Azure Management Portal and go to Azure Storage Account and click on Shared Access Signature as shown below.
Clicking on the Shared access Signature link will open the following blade.
Shared Access Signature Features
Granular access by Storage Services: We have already learnt that Access Key provide complete access to the Entire Storage Account. Using Shared Access Signature (SAS), we can restrict access to individual Storage Services. You just need to select the required services that you would like to restrict access using SAS. You can choose multiple services.
Access by Permissions: You can provide permission based on the following operations.
The “Allowed Permissions” section allows us to provide different permissions to different developers. For example: you can have one developer to work on all the items that have Read Operations and the other UPDATE operations.
Control Access based on Date and time: You can also control the access by specifying Start Date/Time and End Date/Time. For example, you might want to provide a temporary access to someone who would like to access your storage services.
Please note that you can configure these Start and End Date/times based on Time zone as well.
Control Access by Protocol: You can control the access by protocol. For example, you might not like to allow non-secured requests. In such case, you would disable basic http requests by checking the HTTPS only radio button as shown below.
Control Access by IPAddress: You can also control access based on the IPAddress. For ex: You can either provide a single IP Address or a Range of IP Address of your vendors or developers.
Once you configure all the required settings, click on Generate SAS button which is available at the bottom of the page as shown below.
Clicking on Generate SAS will generate the SAS token and Blob Service SAS URL shown in the above screen capture. We will use this SAS token in a moment. Please copy it by clicking on the copy icon in the above step.
Now, Let’s see how to access an image in a browser that is created in a Container (whose Access Policy is private) using the SAS. Navigate to the Blob’s properties as shown below.
Copy the URL of the Blob and access in a browser as shown below.
You would get an error saying that the resource doesn’t exists. Let’s append the access token which was generated in our previous step as shown below.
Now, hit enter and the browser downloads the image to your local computer as shown below.
That’s it. It’s how you can secure your Storage Account services using Shared Access Signature.
Summary: We have learnt the following in this article.
- Disadvantages of using Storage Account Access keys
- Features of Shared Access Signatures
- How to use SAS to access the Storage Access Signature
Hope you enjoyed reading the article. Your feedback is appreciated.
Do you like this article? If you want to get more updates about these kind of articles, you can join my Learning Groups
Can you lock down access to individual blobs with a Shared Access Signature? So I have a bunch of blobs in the same container, can I generate SASs for each one, and the SAS will only work on that blob URL?