Learn how to use Shared Access Signatures (SAS) to delegate access to Azure Storage

Shared Access Signatures (SAS) provide a way to delegate access to Azure Storage resources without sharing your storage account keys.

SAS allows you to grant specific permissions (e.g., read, write, delete) on storage resources for a limited time, which makes it ideal for temporary or restricted access scenarios.

Here’s how you can use SAS to delegate access to Azure Storage resources.

Understand SAS Types

Before using SAS to delegate access, it's important to understand the three types of SAS available:

Account SAS

Provides access to multiple services in the storage account (Blob, File, Queue, Table). It allows access to all resources in the storage account.

Service SAS

Provides access to a specific service, such as a single container or file share. It's more restricted than an account SAS.

User Delegation SAS

Allows for Azure AD authentication and works with Azure Blob Storage. It uses Azure AD credentials to authorize access, making it more secure than using account keys.

For most scenarios, Service SAS or Account SAS will be used to delegate access to specific resources.

User Delegation SAS is useful for scenarios where Azure AD-based authentication is preferred.

Generating a SAS Token

You can generate a SAS token in several ways: using the Azure Portal, Azure CLI, PowerShell, or programmatically via SDKs.

Option 1: Generate SAS in Azure Portal

1. Navigate to the Resource

• Open the Azure portal and go to your Storage Account.

• Select the resource you want to delegate access to (e.g., Blob Containers, File Shares, etc.).

2. Create a SAS

• Click on the resource (e.g., Blob Container).

• In the left-hand menu, click on Shared access signature under the Settings section.

• Configure the SAS options:

  • Permissions: Choose which actions are allowed (e.g., Read, Write, Delete, List).

  • Start and Expiry Date/Time: Set the time window during which the SAS will be valid.

  • Allowed IP addresses: Restrict access to specific IP ranges if needed.

  • Allowed Protocols: Choose either HTTP or HTTPS.

• Click Generate SAS and URL.

3. Copy the SAS Token or URL

• The SAS token is generated along with a URL containing the token that can be shared with others.

• Example SAS URL:

xxxxxxxxxx
1
1
https://<account-name>.blob.core.windows.net/<container-name>/<blob-name>?sv=2020-10-02&st=2024-11-30T00%3A00%3A00Z&se=2024-12-01T00%3A00%3A00Z&sr=b&sp=r&sig=<signature>

4. Share the SAS URL

Share this URL with the user or application that needs access to the resource.

They will be able to access the blob or file based on the permissions and time window you've defined.

Option 2: Generate SAS Using Azure CLI

1. Generate SAS for a Blob Container

Open your terminal or command prompt and use the following CLI command to generate a SAS token:

xxxxxxxxxx
8
1
az storage blob generate-sas \
2
--account-name <storage-account-name> \
3
--container-name <container-name> \
4
--name <blob-name> \
5
--permissions r \
6
--expiry <expiry-time> \
7
--https-only \
8
--output tsv

Explanation:

• --permissions: Specifies the permissions (e.g., r for read, w for write).

• --expiry: Specifies when the SAS token will expire.

• --https-only: Restricts the SAS to HTTPS access only.

2. Get the SAS Token

The CLI command will output a SAS token, which you can append to the resource URL.

Example:

xxxxxxxxxx
1
1
https://<account-name>.blob.core.windows.net/<container-name>/<blob-name>?<sas-token>

Option 3: Generate SAS Using PowerShell

Use the Azure PowerShell New-AzStorageBlobSASToken cmdlet to generate a SAS token.

xxxxxxxxxx
6
1
$SasToken = New-AzStorageBlobSASToken `
2
-Container <container-name> `
3
-Blob <blob-name> `
4
-Permissions r `
5
-ExpiryTime (Get-Date).AddHours(1) `
6
-Context $context

This will generate a SAS token with read permissions for 1 hour.

Control Permissions and Scope

When generating a SAS token, you can restrict permissions and define the scope of access.

Some of the options include:

Permissions

• r: Read

• w: Write

• d: Delete

• l: List

• a: Add

• u: Update

• p: Process (for Queue Storage)

Scope

You can specify the container or blob level for the SAS token.

For example, granting access to a specific blob inside a container or to all blobs in a container.

Start and Expiry Time

Start time

The time the SAS token becomes valid.

Expiry time

The time the SAS token expires.

IP Restrictions

Limit access to specific IP addresses or ranges.

Protocols

Limit the SAS token to only HTTPS for secure communication.

Share the SAS Token

Once you’ve generated the SAS token, you can share it in different ways depending on the use case:

For APIs

Embed the SAS URL in your API requests to access the resources.

For Applications

Pass the SAS URL to a client or application for limited, time-bound access to the resource.

For Manual Use

Share the SAS URL via email or messaging platforms.

Revoke or Modify SAS Access

If you need to revoke a SAS token before it expires, you must regenerate your storage account keys.

This invalidates all SAS tokens that were created using those keys.

To Regenerate Keys

1. Go to Storage account in the Azure portal.

2. Under Settings, select Access keys.

3. Click Regenerate for either the primary or secondary key.

Monitor and Audit SAS Usage

To monitor or audit SAS usage, you can use Azure Storage Analytics logging.

This provides details about the requests made with SAS tokens, such as:

• Request origin (IP).

• Requested resource.

• Access permissions.

This helps in identifying unusual access patterns and ensuring that only authorized users are accessing your resources.

Best Practices When Using SAS

Limit permissions

Always assign the least privilege necessary. For example, if the user only needs to read a file, use a SAS token with only read permissions.

Set expiration times

Limit the duration of the SAS token by specifying an appropriate expiry time to minimize the risk of misuse.

Use HTTPS only

Always configure SAS tokens to allow only HTTPS access for secure communication.

Use IP restrictions

Restrict access to specific IP ranges if possible to limit access to trusted sources.

Monitor SAS usage

Use Azure Monitor to track the usage of SAS tokens and detect any unauthorized or unusual access patterns.

Use Cases for SAS

Granting temporary access to a blob

If you need to share a blob for download with someone externally, generate a SAS URL with read permissions and an expiration time.

Uploading files to a container

You can generate a SAS URL with write permissions to allow users to upload files to a blob container without giving full access to the storage account.

Allowing restricted access to a shared file

Share a file with a third party with read access for a specified period.

Example Use Cases for SAS

Scenario You want to delegate read-only access to a specific blob for 24 hours.

• Generate SAS Token with read (r) permission.

• Set an expiry of 24 hours.

• Share the SAS URL with the intended recipient.

The recipient can access the blob, but only with read permissions, and the link will expire after 24 hours.

Example SAS URL:

xxxxxxxxxx
1
1
https://mystorageaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2020-08-04&st=2024-11-30T00%3A00%3A00Z&se=2024-12-01T00%3A00%3A00Z&sr=b&sp=r&sig=<signature>

Summary of Key SAS Use Cases

• External Applications: Share access to a blob or file share for an external app.

• Third-Party Services: Delegate access to services (e.g., for uploading data).

• Temporary Access: Grant temporary access to resources without exposing account keys.

• Data Sharing: Share files or blobs with specific permissions (e.g., read-only).

By using SAS effectively, you can delegate access to Azure Storage resources in a controlled, secure manner without the need to share your account keys.