A SAS is a unique URL that you can generate that provides time-limited access to your storage account. An account SAS is created at the storage account level, granting access to all containers within that account. Alternatively, you can create a SAS for a container, a folder, or even an individual object, which is known as a service SAS. A SAS can also be generated through the portal or code.
As you can see in the following screenshot of a storage account’s SAS blade in the Azure portal, when generating a SAS, you can define the allowed services and resource type, set a start and expiry date for the SAS, and even specify allowed IP ranges:
Figure 9.7 – Generating a SAS URL
Once you click on Generate SAS and connection string, a series of URLs and connection strings will be generated, which can then be used to access the service without the need to authenticate.
You can also generate a SAS for an individual file – by navigating to the file through the Azure portal; we can select the file and click on the option to generate a SAS for it, as shown in the following screenshot:
Figure 9.8 – Generating a SAS for an individual file
The URL generated can then directly access the file through a web browser, again without authenticating.
As mentioned earlier, these tasks can also be achieved in code. This is a great way to secure access to assets in your storage accounts without requiring users to sign in but still giving direct access (as opposed to your application retrieving the file and passing it on). A typical workflow could look like this:
- A user requests access to a secure file from your application.
- Your application generates a time-limited, IP-restricted SAS and returns the URL to the user.
- The user uses that URL to download the file directly, but they only have a short timeframe to download it and can only download it from their current IP address.
A SAS is generated using a storage account key – and each storage account has two keys available. When you generate a SAS, you have to option to use either key.
The storage account key can also directly access a storage account without generating a SAS – this is synonymous with using a connection string for a SQL database. The keys and connection string can be viewed in the Azure portal by navigating to the Access keys left-hand menu option in the Storage Account blade.
Occasionally, you might need to regenerate these access keys – for example, if you are worried a connection string or SAS has been compromised. You can regenerate these keys through the Access key’s view, which can disable a previously generated SAS or connection string.
As well as creating individual SAS tokens, an access policy, defined at the container level, provides an additional level of security.
Leave a Reply