Hello Everybody,

Hope you all are doing good !!! 🙂 .

In our last article we have discussed how to secure our storage account using Shared Access Signature (SAS). Today in this article we will discuss another way to secure our Storage account. Using Stored Access Policy we can add one extra layer of support to manage our Shared Access Signature (SAS) more efficiently.

Get A SAS URI :

When we are generating a Shared Access Signature, Azure provides two following way to create the signature.

1. Ad hoc SAS: In this approach, we are defining all the attributes at time of creation as we did in our previous article.
2. SAS with stored access policy:  In this approach, we are creating a access policy where we are managing constraints (permissions, start time and end time) for more than one SAS. In the second choice, when we need a SAS URI, we can create it and specify only the name of the stored access policy instead of all the parameters required on the ad hoc version. When authorization happens, the required information is retrieved from the stored access policy we configured. Today we are going to discuss on this approach.

Previous Azure series :

1. Learn Basics Of Azure Networking In 60 Hours
2. Learn Basic Of Azure Active Directory And Azure Identity And Access Management
3. Azure DevOps – Learn at one place

If you have missed our previous articles on Azure Storage and Database Series, please check it in following links.

Part 1 – Overview Of Azure Storage and Database

Part 2 – Azure Storage Account

Part 3 – Azure Blob Storage

Part 4 – Work With Azure Blob Storage

Part 5 – Storage Explorer For Azure Storage

Part 6 – Azure Blob Storage – Snapshot Using Storage Explorer

Part 7 – Azure Blob Storage – Shared Access Signature (SAS)

Next Article : Part 9 – Secure Azure Storage Using RBAC

Stored Access Policy :

A Stored Access Policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. So let’s go through the following steps to configure our Stored Access Policy.

Note: We can add a Stored Access Policy for a Queue as we are doing for Blob container in this article.

Step 1 – Log-in to Azure portal and navigate to the storage account as shown in the following figure.

Step 2 – Navigate to the container we want to provide access to (‘kj-container’ in this example). As showing in the following image, it will share all blobs under this container. Click Access Policy as showing from Settings section of left menu.

Step 3 – From Access policy page, then click Add policy for Stored Access Policy section.

Step 4 – The Add policy window will appear. Here we need to provide all required information as per our requirements and click OK button to add the policy.

Step 5 – As showing in the following figure, the policy added to the list. Now Click Save button to finish the Stored Access Policy configuration.

Generate Shared Access Signature (SAS) Using Microsoft Azure Storage Explorer :

Now we are ready with our Stored Access Policy and time comes to get our Shared Access Signature. In our previous article we have seen how to get SAS in ad hoc, where we had to provide all information during the configuration. But here in this approach, we only configure the Stored Access Policy name and in turn SAS will get all required information from the Stored Access Policy.

Here we are getting SAS at container level, so all files under this container can be access using the same SAS query starting. We will generate the SAS using Microsoft Azure Storage Explore tool. In one of our previous article we have discussed about this tool. So we have configured the client version of Microsoft Azure Storage Explore tool in our machine. Let’s go-through the following steps.

Step 1- Open the Microsoft Azure Storage Explore tool and navigate to our container after successfully log-in as showing in the following figure.

Step 2 – Select the container (kj-container) and Click on “Get Shared Access Signature…” from the context menu as showing in the following figure.

Step 3 – From Shared Access Signature pop-up window select the Stored Access Policy we have created in the above section ( TwoDaysReadAccess_KJ-Container) . This will automatically set other information as per the access policy configuration. We can configure the key value. Click Create to generate the SAS URI as showing in the following figure.

Step 4 – As showing in the following figure, we have now the query string to copy and append after our blob URI. Click Copy button to copy the content.

Generate Shared Access Signature (SAS) Using Portal :

In the above section, we saw how to generate SAS URI using Microsoft Azure Storage Explorer. Here we will discuss how to get the SAS URI using portal.

Step 1 – Login to portal and select Storage Account (kj-container). Then, select Storage Explorer (preview) as shown in the following figure.

Step 2 – Expand BlOB CONTAINERS. Select our Blob container (kj-container), right click and click Get Shared Access Signature as showing in the following figure.

Step 3 – From Shared Access Signature page, Select our Stored Access Policy as shown in the following figure and it will automatically map other necessary attributes as it did in our previous section. Click Create to generate the SAS URI.

Step 4 – As showing in the following figure, we have now the query string to copy and append after our blob URI. Click Copy button to copy the content.

Let’s try to test the query string how it works. As we discussed, we need to append this query string with our blob URL. for example the path would be like : : https://{BlobAccountURL}/{containerName}/{filename.ext}?{Querystring}

If we consider the following rule our URL would be : : “https://kj21storageacount.blob.core.windows.net/kj-container/Annapurna%20Moharana.pdf?si=TwoDaysReadAccess_KJ-Container&sv=2020-02-10&sr=c&sig=05zW478aS2mJJ18fdUYHRDLOVGMUrXs0Y1VyzyxZEFs%3D “

If we try to access our blob directly without SAS URL it will show ResourceNotFound error page as showing in the following figure.

In the following figure we can see the blob is now accessible using SAS URL as it’s query string.

Advantage Of This Approach :

The advantage using Stored Access Policy here, is not only avoiding extra effort to add all the attributes of access for each creation, but also how we revoke the SAS. we can revoke it by changing the expiry time on the policy, or simply deleting the policy itself. Then, all SAS URI’s that inherit from that stored access policy will immediately be modified. This is preferable to changing our storage account keys which could have severe impact on our applications.

I hope this is informative to you. Please let me know if I missed anything important or if my understanding is not up to the mark.

Next Article : Part 9 – Secure Azure Storage Using RBAC

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.

Thanks for reading 🙂 .