Generate shared access signature tokens

Shared Access Signature (SAS) is a powerful Microsoft Azure feature for granting limited access to resources within your Azure Storage Account without divulging your account key. This can be useful in many scenarios.

For instance, if you are working with a partner company and need to provide them with access to a blob in your blob storages, a SAS would allow you to grant this access without giving away your account key. Furthermore, SAS tokens can also be tailored to specific needs as it is highly configurable. You can specify which resources may be accessed, for how long, and what operations (like read, write, delete) can be performed.

Generating a Shared Access Signature (SAS) Token

Here’s how to create a SAS using Azure Storage Account:

1. Navigate to your Azure Storage Account.
2. Scroll down to the Settings section and select Shared access signature.
3. Configure certain parameters like Allowed services, Allowed resource types, Starting & Expiry time, and etc.
4. Click on Generate SAS and connection string. Your SAS token will be created.

Understanding SAS Parameters

When generating a SAS, several parameters can be configured:

• Allowed services: The services that can be accessed using this SAS.
• Allowed resource types: The types of resources that can be accessed.
• Starting and Expiry time: The time range within which the SAS is valid.
• Allowed IP addresses: The IP addresses that can use this SAS.
• Allowed protocols: The protocols that can use this SAS (Https or Http).

For instance, if you are creating a SAS for a partner company to access a specific container within your blob storage account, you can specify the Allowed services as Blob, time limit according to your preference, and the IP address of your partner company as allowed IP addresses.

Benefits of Using SAS Tokens

1. Control over how your storage account keys are distributed: Instead of sharing your access keys, which would give full access to your storage account, you can create a SAS, allowing you to maintain the privileges of your account keys.
2. Control over time frame: SAS tokens are only valid for a specific period. When it expires, access is automatically revoked.
3. Access to specific resources: You define the scope of the SAS, ensuring the client has access only to the data they need.
4. Flexibility and control over permissions: You can specify which permissions (read, write, delete, etc.) the client has for the given resource.
5. Revoking a SAS: If a SAS is no longer necessary, or if it has been leaked, it can be easily revoked to prevent unauthorized access.

Drawbacks of Using SAS Tokens

1. Complexity: SAS tokens can be complex to manage and are easily misused.
2. Vulnerability to leakage: Since a SAS provides access to resources based on the permissions you set, if a SAS leaks, it could potentially give the unauthorized user the same levels of access.

Wrap-up

Shared Access Signature Tokens (SAS) play a crucial role for Azure Administrators on providing access to specific resources in Azure without compromising on security. It empowers more secure and controlled access, however, it also requires careful operation. Proper management and implementation of SAS can greatly enhance your effectiveness and efficiency as an Azure Administrator.

Practice Test

True or False: A shared access signature (SAS) token is a string which denotes a specific service that is valid for a specific time.

• True
• False

Answer: True.

Explanation: A SAS token is indeed a specific string of characters granted by Azure to provide specific access to a service for a specified amount of time.

True or False: With a SAS, you have granular control over what the client can do with your Azure resource.

• True
• False

Answer: True.

Explanation: SAS does provide you with granular control. It gives you the opportunity to control what kind of permissions a client has to your resources.

Which of the following can a SAS token provide access to? (Select All That Apply)

• a. Storage accounts.
• b. Virtual networks.
• c. Subscription certificates.
• d. Virtual machines.

Answer: a, d.

Explanation: SAS tokens can give access to many types of Azure resources, but for the AZ-104 exam, storage accounts and virtual machines are a focus.

What does a Stored Access Policy provide control over?

• a. Object-level permissions.
• b. Service-level permissions.
• c. Account-level permissions.
• d. User-level permissions.

Answer: b. Service-level permissions.

Explanation: Stored Access Policies control service-level permissions. They are associated with the container in the storage account’s settings.

Which protocol is used with SAS tokens for secure data transfer?

• a. SFTP.
• b. FTPS.
• c. SCP.
• d. HTTPS.

Answer: d. HTTPS.

Explanation: HTTPS protocol is used in Azure for secure data transfer using SAS tokens.

True or False: A SAS token gives a user account-level access to services.

• True
• False

Answer: False.

Explanation: A SAS token provides limited and temporary access to objects in the storage account, not account-level access.

In a SAS token, what does the signature contain?

• a. The IP address of the requester.
• b. An encrypted hash.
• c. The expiration date of the token.
• d. The permissions granted to the holder.

Answer: b. An encrypted hash.

Explanation: The signature of a SAS token contains a string-to-sign, which is an encrypted hash.

True or False: We can delegate access to Azure resources by using Shared Access Signature.

• True
• False

Answer: True

Explanation: Shared Access Signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a client with an SAS that allows the client to access resources in a storage account for a specified period of time and with a specified set of permissions.

What is required for the regeneration of a SAS token?

• a. Active Directory credentials.
• b. An Encryption Certificate.
• c. A stored access policy.
• d. Azure portal access.

Answer: c. A stored access policy.

Explanation: A Stored Access Policy is required for the regeneration of a SAS token. It gives you the flexibility to manage the SAS keys without sharing your account key.

True or False: SAS can be utilized to provide permission to clients to access just one or more specific blobs.

• True
• False

Answer: True

Explanation: SAS can certainly be used to provide granular level access control to clients, be it at the level of a blob or an entire storage account. This includes read, write, deletion and listing permissions.

Interview Questions

What is Azure Shared Access Signature (SAS)?

A Shared Access Signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a client with a SAS that allows the client to access a resource in Azure Storage without sharing your account key.

What are the two types of Shared Access Signatures in Azure?

The two types of Shared Access Signatures in Azure are Service-level SAS and Account-level SAS.

What does Service-level Shared Access Signature provide?

Service-level Shared Access Signature provides access to specific resources in a storage account with specified permissions and for a set time period.

Can the start and expiry time of a SAS token be modified after it is created?

No, once a SAS token is created, the start and expiry time cannot be changed.

Is the Azure Storage account key required for creating a Shared Access Signature?

Yes, the Azure Storage account key is required for creating a Shared Access Signature.

Can I use Shared Access Signature to delegate access to resources in my storage account to someone who does not have an Azure account?

Yes, a Shared Access Signature can be used to provide someone limited access to your Azure Storage account without providing them with your account keys.

What is the major difference between an Account-level SAS and a Service-level SAS?

The Account-level SAS provides access to all the resources in the storage account, unlike the Service-level SAS which only provides access to specific resources.

Can we use both IP and protocol restrictions while generating Shared Access Signature tokens in Azure?

Yes, when creating a Shared Access Signature token, you can specify IP restrictions and protocol restrictions such as allowing only HTTPS traffic.

Why should I regenerate my storage account keys if I believe a Shared Access Signature was leaked?

Regenerating your storage account keys invalidates any Shared Access Signature tokens that were previously associated with it, thereby preventing unauthorized access.

What purpose does the “Allowed services” option serve when creating a SAS token in Azure Portal?

The “Allowed services” option in the creation of a SAS token specifies which services may be accessed with this Shared Access Signature. These services could be Blob, File, Queue, and Table services.

Should a SAS token be included with every request that’s made to Azure Storage?

Yes, a SAS token must be included with every request that is made to Azure Storage.

Can you specify an IP range when creating a SAS?

Yes, it is possible to specify an IP range when creating a Shared Access Signature (SAS). It restricts the IP addresses that can use the SAS.

Can you control the allowed HTTP methods (GET, PUT, POST, DELETE, MERGE) with a SAS token?

Yes, a SAS token allows control over the allowed HTTP methods.

Is it recommended to include a start time while creating a SAS token?

It is generally recommended to avoid including a start time in a SAS token, unless specifically required, because slight clock differences between machines can lead to failures.

What happens when a SAS token is issued with delete permissions on a blob?

If a SAS token is issued with delete permissions on a blob, the client can perform a delete operation on the blob.