Stored access policies in Azure Storage offer a flexible way to manage and share your service resources. They provide a set of permissions that you can grant to clients when generating a Shared Access Signature (SAS).
Setting up Stored Access Policies
To configure stored access policies, you need to start by identifying the Azure Storage Service—Blob, Queue, File, or Table service—which you want to apply the policies to. Then, you need to create the stored access policy on the service’s resource type—container, queue, share, or table—where you want to put the policies into action.
Steps to Configure Stored Access Policies
Here are general steps on configuring stored access policies in Azure Storage:
- Go to the Azure portal.
- Choose your Storage account and then select the resource type for your service of choice.
- Move to the Settings section and select Shared access policy.
- To add a new policy, click on the ‘Add policy’ option.
- Enter a name for the policy under ‘Policy name’.
- Define the ‘Start time’, ‘End time’, and ‘Permissions’.
For instance, the policy might have the ‘Read’ and ‘Write’ permissions, be effective immediately (Start time left blank), and have an expiry time set for the End time.
- Click Add to create the policy.
You should also know that you can have more than one stored access policy per resource type, but the limit is five. Also, the list of permissions for a stored access policy can be a combination of ‘Read’, ‘Add’, ‘Update’, ‘Process’, and ‘Delete’ depending on the service and resource type.
Using Stored Access Policies with Shared Access Signatures
Shared Access Signatures (SAS) provide a secure way to share your data with clients without giving them access to your Azure storage account. Stored access policies enhance the control over service resources that you share through SAS.
Here is an example of how to associate a stored access policy with a SAS:
// Instantiate a new BlobServiceClient
BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString);
// Get a reference to a container
BlobContainerClient container = blobServiceClient.GetBlobContainerClient(containerName);
// Define the stored access policy
BlobSignedIdentifier identifier = new BlobSignedIdentifier
{
Id = storedPolicyName,
AccessPolicy = new BlobAccessPolicy
{
StartOn = DateTime.UtcNow.AddHours(-1),
ExpiresOn = DateTime.UtcNow.AddDays(1),
Permissions = "rw"
}
};
// Set the stored access policy on the container
container.SetAccessPolicy(permissions: new List
// Generate a SAS by using the stored access policy
BlobSasBuilder sasBuilder = new BlobSasBuilder
{
BlobContainerName = containerName,
Identifier = storedPolicyName
};
Uri sasUri = container.GenerateSasUri(sasBuilder);
In this example, the stored access policy named `storedPolicyName` is created with ‘Read’ and ‘Write’ permissions, which is then used to generate a SAS with these same permissions. The SAS can then be distributed to clients.
Stored access policies provide several benefits in terms of control over your resources. You can have multiple policies for a single resource, each with different permissions, start times, and end times, providing flexibility for managing access to your data.
Practice Test
True or False: A stored access policy provides a range of functionality over individual ad-hoc signatures.
- True
- False
Answer: True
Explanation: A stored access policy offers additional features such as revoking futures, modifying rights, and setting the expiry times.
What does the Configure Stored Access Policies allow you to do?
- a) Set permissions and a date range for the Shared Access Signature
- b) Remove unwanted permissions on the go
- c) Monitor real-time traffic
- d) Manage stored disk space
Answer: a) Set permissions and a date range for the Shared Access Signature
Explanation: The Stored Access Policies in Azure allows you to set permissions and a date range for a Shared Access Signature.
Until when are the permissions valid for a given stored access policy on Azure?
- a) Until the expiry time if defined
- b) Until the lease is broken
- c) Until the account’s subscription is active
- d) Until the blob data is modified
Answer: a) Until the expiry time if defined
Explanation: Permissions for a stored access policy are valid until the defined expiry time.
True or False: In Azure, you cannot edit a stored access policy after it’s been created.
- True
- False
Answer: False
Explanation: It’s possible to modify the attributes of a stored access policy such as the expiry time or permissions, even after it’s been created.
Multiple Select: Which of the following can be configured in a stored access policy in Azure?
- a) Start time
- b) End time
- c) Access permissions
- d) Disk space
Answer: a) Start time, b) End time, c) Access permissions
Explanation: You can specify the start time, end time and the access permissions in a stored access policy.
True or False: A stored access policy can have multiple shared access signatures associated with it.
- True
- False
Answer: True
Explanation: A stored access policy can indeed have multiple shared access signatures associated with it, all sharing the same policy constraints.
Which Azure service uses the stored access policies?
- a) Azure Active Directory
- b) Azure Blob storage
- c) Azure Traffic Manager
- d) Azure Web Apps
Answer: b) Azure Blob storage
Explanation: The Azure Blob Storage services use stored access policies to provide additional control over service-level shared access signatures.
True or False: If you delete a stored access policy, any associated shared access signatures become invalid.
- True
- False
Answer: True
Explanation: Deleting a stored access policy invalidates any shared access signatures associated with it and they will no longer work.
Multiple Select: What type of access permissions can be set in stored access policies?
- a) Read
- b) Write
- c) Delete
- d) Update
Answer: a) Read, b) Write, c) Delete
Explanation: Stored access policies can be configured to permit read, write, or delete access to resources.
True or False: When you modify a stored access policy, the modifications take effect immediately on any associated shared access signatures.
- True
- False
Answer: True
Explanation: Any changes made to the stored access policy are instantly reflected on all the shared access signatures related with it.
Interview Questions
What are Stored Access Policies in Microsoft Azure?
Stored Access Policies in Azure are global parameters that can be used by any number of shared access signatures. They allow you to manage constraints such as start time, expiry time, and permissions for service-level shared access signatures.
In which services of Azure can Stored Access Policies be configured?
Stored Access Policies can be configured in Blob service, Queue service, and Table service in Azure Storage.
What types of permissions can be provided with Stored Access Policies?
The permissions provided by Stored Access Policies include: read, write, delete, list, add, create, update and process messages.
Can Stored Access Policies be modified after configuration?
Yes, Stored Access Policies can be modified after they are configured. Changes in the policy become effective for all associated shared access signatures immediately.
Can a Stored Access Policy extend the expiration time of a Shared Access Signature?
Yes, a Stored Access Policy allows you to extend the expiration time of a Shared Access Signature by increasing the expiry time of the policy.
How many Stored Access Policies can be associated with a container or a queue?
You can associate up to 5 Stored Access Policies with a container or a queue.
How do you revoke a Shared Access Signature in Azure?
Revoking a Shared Access Signature in Azure can be done by either deleting the corresponding Stored Access Policy or by modifying it to an earlier expiry time.
How do you configure a Stored Access Policy in Azure Storage?
Stored Access Policies are configured in Azure Storage via the Azure portal, Azure PowerShell, Azure CLI, or the Storage Client Libraries.
Can you restrict IP addresses using Stored Access Policies?
No, you cannot restrict IP addresses using Stored Access Policies in Azure. This is a constraint that must be specified on each Shared Access Signature.
Can you grant a user permissions to both read and write, but not delete, using Stored Access Policies?
Yes, in Stored Access Policies, you can independently specify read, write and delete permissions. For example, you can just grant read and write permissions, but deny delete permission.
Can I modify Stored Access Policies if I have generated any SAS linked with it?
Yes, you can modify Stored Access Policies even if you have a Shared Access Signature (SAS) linked to it. The modifications will immediately affect the SAS.
Is it necessary to associate a SAS token with a Stored Access Policy?
No, you can create an ad hoc SAS without a Stored Access Policy. However, it gives you better control and flexibility to manage the SAS if it’s associated with one.
What happens when we delete a Stored Access Policy associated with a SAS?
When a Stored Access Policy that’s associated with a Shared Access Signature (SAS) is deleted, the SAS becomes immediately invalid.
Can Stored Access Policies be used in combination with Azure AD based authorization?
No, Stored Access Policies cannot be used to further restrict Azure AD based authorization.
Can Azure File Share services use Stored Access Policies?
No, Azure File Share services do not support Stored Access Policies.
extutorials.com