How to Protect an Azure Storage Account using Shared Access Signatures

How to protect an Azure storage account using a Shared Access Signature.

Introduction

 
The Shared Access Signature (SAS) is the mechanism that restricts access to Azure Storage. It is one of the more secure ways to provide access to our storage account. It eliminates the need for Access Keys to gain access to your Azure storage account. To learn more about SAS, click here.
 

The two types of SAS

  • Service Level – Gives access to a resource in just one of the storage services: Blob, Queue, Table and File
  • Account Level – Gives access to resources in one or more of the storage services. All of the operations available via a Service Level SAS are also available via an Account Level SAS.
Step 1: For this example, we have the Storage Account Name, “articledata”, under the Article Resource Group, click “articledata”.
 
article-data-image
 
Step 2: In the “articledata” Storage Account, Click Containers. 
 
article-data-storage-account-image
 
Step 3: Under the “Container”, we have already uploaded one text file named TextFile.
 
mydata-container-image
 
Step 4: Now step back to our Storage Account Name “article data”, and then click “Shared Access Signature” under the settings. 
  • Allowed Service – We can select what are the services that we can allow to the user.
  • Allowed Permission – We can select what kind of permission to allow to the user.
  • Start and End – We can set the availability time period.
  • Allowed IP Address – We can whitelist the IP access to our storage account.
shared-access-signature-image
 
Step 5: Now we are going to grant permission so users can “Read and List” the Documents under the Storage account, but they can’t “Delete, Write, Add or Create” any documents in the Storage Account. Click “Generate SAS and Connection String”.
 
shared-access-signature-image2
 
Step 6: After Generating the SAS and Connection String, copy the “Blob Service SAS URL”.
 
connection-string-image
 
Step 7: Open the Microsoft Azure Storage Explorer, and then click “Add an Account”.
 
add-account-azure-storage
 
Step 8: In the Connect to Azure Storage select “Use a shared access signature (SAS) URI”, and then click Next.
 
connect-to-azure-storage-image
 
Step 9: Paste the URL that we copied in step 6. When we paste the URL, it automatically updates other text boxes, then click Next.
 
connect-with-SAS-URI-azure 
 
Step 10: In our Storage Account we can find the “mydata” folder. Under the folder we have two files, we can read these because we have selected the “Read” permission. Now we try to remove the “Screenshot_5.png” file, select the file and click Delete.
 
azure-storage-image 
 
Step 11: When we click Delete, we can check the “Activities” it’s saying that we can’t perform this operation because we don’t have the permission to delete.
 
azure-storage-image2
 
Step 12: We can try to upload the file to our storage account, so click “Upload” and then select the files and click the “Upload” button. Also, you get the same error.
 
upload-files-azure-storage 
 

Summary

 
In this demo, we have learned how to protect our Storage account using Shared Access Signature (SAS) if you have any questions, feel free to comment below the article.