Microsoft Azure Storage and Database Part 7 – Secure Azure Storage Using Shared Access Signature (SAS)

Hello Everybody,

Hope you all are doing good !!! 🙂 .

In our last article we have discussed how to create Snapshot of a blob and Promote if required. Today in this article we will discuss on a very important service of Azure, related to security of our Storage account.

Previous Azure series :

1. Learn Basics Of Azure Networking In 60 Hours
2. Learn Basic Of Azure Active Directory And Azure Identity And Access Management
3. Azure DevOps – Learn at one place

If you have missed our previous articles on Azure Storage and Database Series, please check it in following links.

Part 1 – Overview Of Azure Storage and Database

Part 2 – Azure Storage Account

Part 3 – Azure Blob Storage

Part 4 – Work With Azure Blob Storage

Part 5 – Storage Explorer For Azure Storage

Part 6 – Azure Blob Storage – Snapshot Using Storage Explorer

Next Article : Part 8 – Secure Azure Storage Using Stored Access Policy

Shared Access Signature (SAS) :

I would like to secure my data in my Azure storage and control the accessibility to authorized users for a specific period of time. I would also like to limit the access to the various other services that are available within the Azure storage account. In Azure we can achieve this using Shared Access Signature (SAS). A shared access signature (SAS) enables us to grant limited access to containers and blobs in our storage account. When we configure a SAS, we specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

We can configure a Shared Access Signature (SAS) in Storage Account level, Container level and also for a particular Blob level as well. The following Azure Storage resources support stored access policies:

• Blob containers
• File shares
• Queues
• Tables

But when configuring SAS for different resource, it required different information for different resources. Let’s check this .

Get A SAS URI :

When we are generating a Shared Access Signature, Azure provides two following way to create the signature.

1. Ad hoc SAS: In this approach, we are defining all the attributes at time of creation. Today we are going to discuss on this approach.
2. SAS with stored access policy:  In this approach, we are creating a access policy where we are managing constraints (permissions, start time and end time) for more than one SAS. We will discuss on this in our next article.

Shared Access Signature (SAS) For Blob :

Step 1 – Log-in to Azure portal and let’s move to our Storage account and select the Blob for which we want to configure SAS.

Step 2 – Initially, when we created the blob, the access level has set to Anonymous read so that every one can access the blob by hitting the blob URL.

Step 3 –Let’s get the blob Url from Overview tab of the blob as showing in following figure and browse for the blob.

Step 4 – Now let’s modify the access level and set it to Private so that only authorized user can only access the blob. Click on the option to “Change access level”. Change the “Public Access Level” to private (no anonymous access) and click on “OK“.

Step 5 – If we hit the same blob URL as we did before change the access level, we will get error message because now it is blocked for anonymous users as showing in the following figure.

Step 6 – Now let’s generate/ configure Shared Access Signature (SAS) for “Annapurna oharana.pdf ” blob so that authorized users can access the blob. Select the Blob=> Click on 3 dots (…) and click Generate SAS from context menu as showing in the following figure.

Step 7 – Once we click on the “Generate SAS” option from context menu, we will see this screen. Here, we can select the various options that are available. Under Permissions, we could choose any of the following – read, create, write or delete. HTTPS is the recommended as Allow Protocol for security reasons. we could either choose access key 1 or key 2 as Signing Key. Specify the Start and Expire date and time for the period we are granting the permission.

Step 8 – Finally select on the option to “Generate blob SAS token and URL“. Once you click on the option to generate the SAS token, you will be able to view the SAS token details as shown in the following figure.

Step 9 – After we changed the access level to private , when we tested the URL for the “Annapurna Moharana.pdf” on browser, it returned an error. In order to test if the SAS URL is working, we can copy the contents of the Blob SAS URL as shown in the above figure and browse the URL. As we can see in the following figure it is working fine.

When we configure the SAS for the Blob, we have configured the time slot for around 1 hour as showing in the following figure.

Step 10 – Now it crossed the time span, so after the expired time the SAS should not work for the user as showing in the following figure it is showing “Signature not valid in the specified time frame”.

SAS For Storage Account :

As we discussed earlier, we can configure Shared Access Signature (SAS) for a Storage Account. in this case the concept is same but the scope of the permission is higher. Here the Scope is considering full Storage Account . It means whatever stored in the Storage account can be accessible by this SAS. One more different is, when configuring Shared Access Signature (SAS) for Storage account it required different inputs as showing in the following figure.

I hope this is informative to you. Please let me know if I missed anything important or if my understanding is not up to the mark.

Next Article : Part 8 – Secure Azure Storage Using Stored Access Policy

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.

Thanks for reading 🙂 .