Shared Access Signatures (SAS) in Microsoft Azure are a crucial aspect of managing security in your cloud computing. SAS provides a powerful tool to delegate limited access rights to Azure Storage objects without sharing your account access keys. Through SAS, a client is enabled to read, write, and delete resources in your storage account.
Creating Shared Access Signatures
A shared access signature can grant permissions to any Storage Service REST operation. It is generated from a storage account key and provides secure delegated access to resources in your storage account.
Here is an example of how to create a shared access signature using C#:
public string GetBlobSasUri(CloudBlobContainer container, string blobName, SharedAccessBlobPolicy sasConstraints)
{
string sasBlobToken;
// Get a reference to a blob within the container.
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
// Add the access policy to the blob.
sasBlobToken = blob.GetSharedAccessSignature(sasConstraints);
// Return the SAS token.
return blob.Uri + sasBlobToken;
}
Implementing Shared Access Signatures
Once you have created your SAS, you can use it by appending it to the end of the resource URI that you want to access. The client that receives the SAS appends it to the URI of the resource it wants to access.
Next part is how you would use it in C#:
string sasToken = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy()
{
Permissions = SharedAccessBlobPermissions.Write,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(2),
});
CloudBlockBlob blobWithSas = new CloudBlockBlob(new Uri(blob.Uri + sasToken));
In the former example, we created a SAS that’s valid for two hours and grants Write access. The `CloudBlockBlob` that’s created uses the SAS URL, and can be used to upload data to the blob, but not to read or delete the data.
Securing Shared Access Signatures
While SAS provides great flexibility and more granular control over your assets, a poorly secured SAS can pose a significant security risk. Here are some important considerations when securing your SAS:
- Always use HTTPS to secure the data that the SAS transfers.
- Avoid providing more permissions than necessary.
- Configure the start time to be as immediate as possible.
- Keep the SAS duration as short as possible.
Summary
Just remember, a SAS is a URI that encapsulates all of the information needed to authenticate a request to read, write, or delete a resource. Understanding this system is crucial for the AZ-204 Developing Solutions for Microsoft Azure exam, as it enables you to secure and manage access to your storage accounts in a fine-grained manner. By mastering how to create and implement Shared Access Signatures, you can make your Azure storage more secure and easier to access.
Practice Test
True or False: A shared access signature (SAS) is a Microsoft Azure service that allows you to grant limited access to objects in your storage account to other clients, without exposing your account key.
- True
- False
Answer: True
Explanation: A SAS is a way to grant limited access to your Azure Storage resources without sharing your access keys and it’s one of the key concepts for the AZ-204 exam.
In Microsoft Azure, which SAS type is associated with a stored access policy?
- A) User delegation SAS
- B) Account SAS
- C) Service SAS
- D) None of the above
Answer: C) Service SAS
Explanation: A Service SAS is associated with a stored access policy. The policy gives you more control over the SAS parameters.
True or False: The shared access signature (SAS) exposes the Azure storage account key to the client.
- True
- False
Answer: False
Explanation: The shared access signature is created with the account key but the key itself is not exposed to the client.
Which type of SAS can be created with Azure Active Directory (Azure AD) credentials?
- A) Service SAS
- B) Account SAS
- C) User delegation SAS
- D) None of the above
Answer: C) User delegation SAS
Explanation: User delegation SAS is a type of service SAS that is secured with Azure Active Directory (Azure AD) credentials.
What permissions can be granted using a shared access signature (SAS)?
- A) read
- B) write
- C) delete
- D) All of the above
Answer: D) All of the above
Explanation: A SAS can grant permissions to read, write, and delete resources within your storage account.
True or False: SAS tokens, once issued, cannot be revoked before their expiry time.
- True
- False
Answer: False
Explanation: SAS tokens can be revoked by regenerating the storage account’s keys, though this would also invalidate all other SAS tokens issued with those keys.
The expiry time of a shared access signature (SAS) can be extended by?
- A) Issuing a new SAS with an extended expiry time
- B) Directly changing the expiry time in the existing SAS
- C) Both A & B
- D) None of the above
Answer: A) Issuing a new SAS with an extended expiry time
Explanation: The expiry time of a SAS cannot be changed directly once it is issued. A new SAS needs to be issued with the extended time.
True or False: Service SAS is the only type of SAS that supports IP restriction.
- True
- False
Answer: False
Explanation: Both types of SAS, Service SAS and Account SAS, support IP restriction.
If a storage account key is regenerated, what will happen to existing SAS tokens?
- A) They will continue to work
- B) They will become invalid
- C) They will need to be updated manually
- D) None of the above
Answer: B) They will become invalid
Explanation: If a storage account key becomes regenerated, any existing SAS tokens that were formed with the regenerated key will become invalid.
True or False: A user delegation SAS does not require an Azure AD user identity.
- True
- False
Answer: False
Explanation: By definition, a User Delegation SAS is based on a user’s Azure AD identity and requires it for the creation.
Shared access signatures can be used to grant access to which of the following Azure storage services?
- A) Blob storage
- B) Table storage
- C) Queue storage
- D) All of the above
Answer: D) All of the above
Explanation: SAS can be used to grant fine-grained, limited access to all types of resources in Azure Storage, including blobs, queues, tables, and files.
True or False: An account SAS is secured by Azure Active Directory (Azure AD) credentials.
- True
- False
Answer: False
Explanation: An account SAS is not secured with Azure AD credentials but with the storage account key.
Interview Questions
What is a Shared Access Signature (SAS) in Azure?
A Shared Access Signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a client with a SAS that allows the client to access resources in a storage account without sharing your account keys.
What are the types of Shared Access Signatures?
There are two types of Shared Access Signatures: a service-level SAS and an account-level SAS. A service-level SAS is resource-specific, whereas an account-level SAS can access multiple resources.
How is a SAS token generated?
A SAS token is generated from a combination of the storage account key, the URI for the resource it grants access to, and a set of query parameters that specify the permissions granted by the SAS.
What should you do to revoke a Shared Access Signature?
To revoke a Shared Access Signature, you can either change the storage account key that was used to create the SAS or add a Stored Access Policy that provides more specific access rights.
What is the Stored Access Policy in Azure?
A Stored Access Policy provides an additional layer of control over service-level SAS on top of the parameters specified in the SAS itself. It can be used to modify or revoke permissions to a storage resource without changing the storage account key.
What does the start time parameter specify when creating a SAS token?
The start time parameter specifies the time at which the SAS becomes valid. The start time is optional, and if omitted, the SAS is effective immediately upon creation.
What is the purpose of the expiry time parameter when generating a SAS token?
The expiry time parameter specifies the time at which the SAS is no longer valid. After this time, any attempt to use the SAS to access the storage resource will be denied.
Can permission set in the Shared Access Signatures be overridden by the Stored Access Policy?
Yes, the permissions specified in the Stored Access Policy can override the permissions set in the Shared Access Signature.
How can you prevent a man-in-the-middle attack when using Shared Access Signatures?
To prevent a man-in-the-middle attack, use HTTPS with Shared Access Signatures to secure the transmission of the SAS token across the network.
What are the required elements when creating a service SAS?
The required elements are: the storage account key, the URI for the resource, the permissions granted by the SAS, and the expiry time of the SAS.
What is the risk associated with using an account SAS?
An account SAS provides access to resources in more than just one service. If such a SAS was leaked, it could result in unauthorized access to your storage account.
Is it possible to create a Shared Access Signature that does not expire in Azure?
While you technically can create a SAS that does not expire by not providing an expiry time, it is not recommended due to the security risks associated with long-lived SAS tokens.
Can you change the expiry time of a SAS after it has been created?
No, once a SAS has been created, you cannot change the expiry time. You would need to create a new SAS with the updated expiry time.
Can a service SAS be used to create or delete containers, tables, or queues?
No, a service SAS is specifically associated with a particular resource and therefore does not grant permission to create or delete containers, tables, or queues.
Can one use Shared Access Signatures for grant read, write, and delete permissions to a specific blob?
Yes, with Shared Access Signatures, one can delegate access to resources in your storage account with specific permissions. These permissions include read, write, and delete access to a specific blob.
extutorials.com