A shared access signature (SAS) provides secure and temporary access to the resources in a storage account. You can configure access to specific objects, as well as permissions and SAS token validation time.
There are few types of SAS:
- User delegation SAS: User delegation SAS is secured with Azure Active Directory (Azure AD) credentials. It delegates access only to blob storage resources.
- Service SAS: A service SAS is secured with the storage account key. It delegates access to one of the following Azure storage services: Blob storage, Queue storage, Table storage, or Azure files.
- Account SAS: An account SAS is secured with the storage account key. It delegates access to read, write and delete operations on azure storage resources, that are not permitted with a service SAS.
Regarding security, Microsoft recommends using User delegation SAS when possible.
A SAS can take one of two forms:
- Ad hoc SAS: This is the default SAS form. Any type of SAS can be an Ad hoc SAS. The start time, expiration time and permissions are all included in the SAS URI.
- Service SAS with stored access policy: A stored access policy operates on a resource container level, which can be: blob container, table, queue or file share. The SAS inherits the start time, expiration time, and permissions defined in the stored access policy.
More about Azure SAS.
- Azure account
- Azure CLI
- Azure Storage account
Create a user delegation SAS for a blob
Step 1. Open Terminal and login to the Azure Portal:
It will open a new window using the default browser where you will be prompted for email and password.
Step 2. Run the following command:
az storage blob generate-sas --account-name devcoopsstorage1 --container-name myfirstblobcontainer --name index.php --permissions acdrw --expiry 2019-10-02
--account-name: name of the storage account.
--container-name: name of the storage container.
--name: name of the blob file.
- a = Add
- c = Create
- d = Delete
- r = Read
- w = Write
--expiry: datetime (Y-m-d’T’H:M’Z’) at which SAS becomes invalid.
It will return SAS token:
Note: SAS token is a string that you generate on the client side. You can create unlimited number of tokens, which also are not tracked by Azure Storage in any way.
Step 3. Run the same command with the –full-uri parameter:
az storage blob generate-sas --account-name devcoopsstorage1 --container-name myfirstblobcontainer --name index.php --permissions acdrw --expiry 2019-10-02 --full-uri
--full-uri: It will return the SAS URI.
URL of the blob in the Azure Storage:
Returned SAS URI:
As you can see, the SAS URI is created from two parts:
- The Storage Resource URI:
- The SAS Token:
Note: When an application sends a SAS URI to Azure as part of a request, the Azure storage service checks the SAS parameters and signature to verify that it’s valid.
Revoke a user delegation SAS
Step 4. Run the following command:
az storage account revoke-delegation-keys --name devcoopsstorage1 --resource-group storage-rg
We can try to grant limited access to storage containers as well using user delegation SAS.
Official documentation: Create a user delegation SAS for a container or blob with the Azure CLI.