Storage Account’s SAS token management

An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. – docs

There are two ways to access anything stored in Azure Storage account.
1. Storage Key.
2. SAS Token.

The drawback of using a Storage key is that this is admin permission onto the whole Storage account, if someone has it they can do literally anything in the storage account from update, insert to delete anything existing in the Storage Account.

To limit the permissions we have the SAS token, using SAS token we can generate a key with limited permissions and use that to provide access to any user/application. When creating SAS token we are provided with the below permission options.

SAS for Storage Account

From above we can provide access to a particular service, and to a specific resource type, the set of permission(s) and also the time duration for which this SAS token is valid. We can also select the allowed protocols (HTTP or HTTPs). Every SAS is signed by a signing key which is one of the two storage keys.

Till now everything is good, but the issue comes when we are required to revoke the permission provided using SAS. Azure don’t manage SAS tokens. Once created and shown it doesn’t keep the history and record of any SAS created and so you cannot delete it or modify it to change the permissions.

The only option left is to regenerate the Storage key using which SAS token is created. And as we don’t know about how many SAS tokens may exist (created by you or by someone else) we might be breaking permissions at multiple places.

And this was the challenge we were having for one client which required SAS tokens created with different permissions to different users on a container having multiple reports.

To overcome this and to make our life easier we used Access Policy for the container having all the reports.

To configure Access Policy, go to your storage account -> Container -> Click on the three dots.

Access Policy

Create a new Access Policy based upon the required permission, let us say you need to provide Read permission to Sam for a week, so the permissions will look like this.

Providing permission to Access Policy

Once clicking OK, save the access policy.

To generate a SAS token based upon this Access Policy we have to use either PowerShell, Az CLI or Storage Explorer. I’ll be using Storage Explorer.

Go to your Storage Account – Container – Right Click and select Get Shared Access Signature.

Creating SAS 1

In the “Shared Access Signature” select the Access Policy created from the portal and click Create.

Creating SAS 2

You will get the SAS created which can be shared with Sam. Now this SAS will also not be saved but to revoke or grant more permission or extending the access we just need to edit our Access Policy and make the changes to it.

Editing Policy.

And similar to above using SAS on Access Policy saved us a lot of manual effort in managing and recreating the SAS tokens.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s