How to Protect an Azure Storage Account using Shared Access Signatures


The Shared Access Signature (SAS) is the mechanism that restricts access to Azure Storage. It is one of the more secure ways to provide access to our storage account. It eliminates the need for Access Keys to gain access to your Azure storage account. To learn more about SAS, click here.

The two types of SAS

  • Service Level – Gives access to a resource in just one of the storage services: Blob, Queue, Table and File
  • Account Level – Gives access to resources in one or more of the storage services. All of the operations available via a Service Level SAS are also available via an Account Level SAS.
Step 1: For this example, we have the Storage Account Name, “articledata”, under the Article Resource Group, click “articledata”.
Step 2: In the “articledata” Storage Account, Click Containers. 
Step 3: Under the “Container”, we have already uploaded one text file named TextFile.
Step 4: Now step back to our Storage Account Name “article data”, and then click “Shared Access Signature” under the settings. 
  • Allowed Service – We can select what are the services that we can allow to the user.
  • Allowed Permission – We can select what kind of permission to allow to the user.
  • Start and End – We can set the availability time period.
  • Allowed IP Address – We can whitelist the IP access to our storage account.
Step 5: Now we are going to grant permission so users can “Read and List” the Documents under the Storage account, but they can’t “Delete, Write, Add or Create” any documents in the Storage Account. Click “Generate SAS and Connection String”.
Step 6: After Generating the SAS and Connection String, copy the “Blob Service SAS URL”.
Step 7: Open the Microsoft Azure Storage Explorer, and then click “Add an Account”.
Step 8: In the Connect to Azure Storage select “Use a shared access signature (SAS) URI”, and then click Next.
Step 9: Paste the URL that we copied in step 6. When we paste the URL, it automatically updates other text boxes, then click Next.
Step 10: In our Storage Account we can find the “mydata” folder. Under the folder we have two files, we can read these because we have selected the “Read” permission. Now we try to remove the “Screenshot_5.png” file, select the file and click Delete.
Step 11: When we click Delete, we can check the “Activities” it’s saying that we can’t perform this operation because we don’t have the permission to delete.
Step 12: We can try to upload the file to our storage account, so click “Upload” and then select the files and click the “Upload” button. Also, you get the same error.


In this demo, we have learned how to protect our Storage account using Shared Access Signature (SAS) if you have any questions, feel free to comment below the article.

IFS R&D International (Private) Limited
IFS is a global enterprise software vendor providing solutions that help companies get better return