Then, the service checks the SAS parameters and the signature to verify that it is valid. After you create a SAS, you can distribute it to client applications that require access to resources in your storage account.Ĭlient applications provide the SAS URI to Azure Storage as part of a request. You can create an unlimited number of SAS tokens on the client side. The SAS token is not tracked by Azure Storage in any way. The SAS token is a string that you generate on the client side, for example by using one of the Azure Storage client libraries. Microsoft recommends using a user delegation SAS when possible for superior security. The following table summarizes how each type of SAS token is authorized. The access key or credentials that you use to create a SAS token are also used by Azure Storage to grant access to a client that possesses the SAS. When a request includes a SAS token, that request is authorized based on how that SAS token is signed. To create a SAS that is signed with the account key, an application must have access to the account key. Signing a SAS token with an account keyīoth a service SAS and an account SAS are signed with the storage account key. For more information, see Create a user delegation SAS (REST API). To get the key, and then create the SAS, an Azure AD security principal must be assigned an Azure role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. A user delegation SAS is signed with the user delegation key. You can sign a SAS token by using a user delegation key that was created using Azure Active Directory (Azure AD) credentials. Signing a SAS token with a user delegation key You can sign a SAS token with a user delegation key or with a storage account key (Shared Key). For more information, see Prevent authorization with Shared Key. To prevent users from generating a SAS that is signed with the account key for blob and queue workloads, you can disallow Shared Key access to the storage account. Be careful to restrict permissions that allow users to generate SAS tokens. Any user that has privileges to generate a SAS token, either by using the account key, or via an Azure role assignment, can do so without the knowledge of the owner of the storage account. It's not possible to audit the generation of SAS tokens. When you associate a service SAS with a stored access policy, the SAS inherits the constraints-the start time, expiry time, and permissions-defined for the stored access policy. The stored access policy can be used to manage constraints for one or more service shared access signatures. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. When you create an ad hoc SAS, the start time, expiry time, and permissions are specified in the SAS URI. For more information, see Authorize access to data in Azure Storage.Ī shared access signature can take one of the following two forms:Īd hoc SAS. When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security. Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. Read, write, and delete operations that aren't permitted with a service SAS.įor more information about the account SAS, Create an account SAS (REST API). Service-level operations (For example, the Get/Set Service Properties and Get Service Stats operations). You can also delegate access to the following: All of the operations available via a service or user delegation SAS are also available via an account SAS. An account SAS delegates access to resources in one or more of the storage services. Account SASĪn account SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.įor more information about the service SAS, see Create a service SAS (REST API). Service SASĪ service SAS is secured with the storage account key. A user delegation SAS applies to Blob storage only.įor more information about the user delegation SAS, see Create a user delegation SAS (REST API). What permissions they have to those resources.Īzure Storage supports three types of shared access signatures:Ī user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. With a SAS, you have granular control over how a client can access your data. A shared access signature (SAS) provides secure delegated access to resources in your storage account.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |