Azure Storage Account - Shared Access Signature

In this article, we will learn how to provide granular access to Storage Account Services.

Please go through the following articles to learn more about Storage Account.

  1. Azure Storage – Basics
  2. Azure Resource Manage Template: Create A Storage Account Using Blank Template
  3. Create a Storage Account and learn how to access It Programmatically
  4. Azure Storage – Creating Blob Container Using Storage Client Library
  5. Azure Storage Account Why Two Access Keys
  6. Azure Storage Account – Create Block Blob Programmatically using C#.Net

Introduction

In the above articles, we have learned about Storage Account and how to access the same using Access keys. Access keys are like master passwords for entire Storage Account.

Before we discuss about Shared Access Signatures, let’s first see few cons on using Storage Account Access Keys.

  1. If you have shared the Access key to a developer and the developer has left the company, then you would need to regenerate the Access keys which would impact your application.
  2. You cannot use Access keys for temporarily providing access for a specific period of time.
  3. You cannot use Access keys to provide access for few of the Storage Account Services, say just for blobs or queues within that Storage Account.
  4. You cannot provide a few permissions like read, write on the Storage Services.

You can overcome all of the above limitations of the Access Keys, using Shared Access Signatures.

In this article, we will learn about Shared Access Signatures.

Navigate to your Azure Management Portal, go to Azure Storage Account, and click on "Shared Access Signature", as shown below.


Clicking on the "Shared access signature" link will open the following blade.


Shared Access Signature Features

Granular access by Storage Services

We have already learned that Access Keys provide complete access to the entire Storage Account. Using Shared Access Signature (SAS), we can restrict access to individual Storage Services. You just need to select the required services that you would like to restrict access for, using SAS. You can choose multiple services.


Access by Permissions

You can provide permissions based on the following operations.

The “Allowed Permissions” section allows us to provide different permissions to different developers. For example, you can have one developer work on all the items that have Read operations and the other on UPDATE operations.

Control Access based on Date and Time

You can also control the access by specifying Start Date/Time and End Date/Time. For example, you might want to provide temporary access to someone who would like to access your Storage Services.


Please note that you can configure these Start and End Date/Times based on time zone as well.

Control Access by Protocol

You can control the access by protocol. For example, you might not like to allow non-secured requests. In such case, you would disable basic HTTP requests by checking the "HTTPS only" radio button, as shown below.


Control Access by IPAddress

You can also control the access based on the IP Address. For example, you can either provide a single IP Address or a Range of IP addresses of your vendors or developers.


Once you configure all the required settings, click on the "Generate SAS" button at the bottom of the page, as shown below.


This action will generate the "SAS token" and "Blob service SAS URL" shown in the above screen. We will use this SAS token in a moment. Please copy it by clicking on the copy icon in the above step.

Now, let’s see how to access an image in a browser that is created in a Container (whose Access Policy is private) using the SAS. Navigate to the Blob’s properties, as shown below.


Copy the URL of the Blob and access in a browser, as shown below.


You would get an error saying that the resource doesn’t exist. Let’s append the access token which was generated in our previous step, as shown below.


Now, hit "Enter". The browser downloads the image to your local computer, as shown below.


That’s it. This is how you can secure your Storage Account Services using "Shared Access Signature".

Summary

We have learned the following in this article.

  • Disadvantages of using Storage Account Access keys
  • Features of Shared Access Signatures
  • How to use SAS to access the Storage Access Signature

I hope you enjoyed reading the article. Your feedback is appreciated.