In this article, I will describe what are Shared Access Signature (SAS) and how they can be implemented to make your Azure Blob Storage secure.

I will come to the details of what SAS is and how it can be used a little later. First lets go to Azure Blob Storage. A blob storage has one or many storage containers which can use used to store files and media.

Below screenshot shows the Storage Accounts section in Azure Portal. Under the Storage Accounts section, a Storage Account is selected. Under ‘BLOB SERVICE‘ section, click ‘Containers‘ where a new container can be added or existing containers can be viewed and edited.

AzureBLOB_Portal

As you can see under the Containers section, there are two blob containers, first whose access type is Private and next one whose access type is Container. I have removed the parts of the names from the above screenshot for security purposes.

The difference between the two access types is that:-

‘Container’ access type : Blob container is public and blobs can be accessed using the URL format :

https://<StorageAccountName>.blob.core.windows.net/<containername>/<fileName>

Blob containers marked as ‘Container’ access types are thus publicly accessible using the blob url.

‘Private’ access type : This as the name suggests is a secure access type where the blobs in the container can’t be accessed publicly over a URL.

Although, blobs from the blob container with ‘Container’ access type can be accessed publicly over the blob URL, they can’t be deleted or renamed without having the storage account access keys (screenshot below).

AzureBLOB_AccessKeys

Storage account access keys are the master keys to the storage account.

You can read more about SAS on MSDN : https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1

Now, lets move to creating Shared Access Signature (SAS) for accessing the blob storage. Below screenshot shows the Shared Access Signature section in Azure Portal.

azure_sas_creation

As you can see from the above screen, you are provided various options. You need to choose the services like ‘Blob’, ‘File’,… etc that should be accessible over SAS. Also you need to select the ‘Start and expiry date/time’. This determines the duration for which the SAS token will be alive and can be used to access various resources like Blob, File,… etc.

SAS token is generated by Azure using the Access Keys. You can select either ‘Key1’ or ‘Key2’ to generate the SAS token, the option is available at the bottom of the screen in the above screenshot.

After generating the SAS token using the process described above, the SAS token obtained is :

?sv=2016-05-31&ss=bfqt&srt=sco&sp=rwdlacup&se=2017-07-03T18:21:27Z&st=2017-07-03T10:21:27Z&spr=https&sig=w1ZOS4y.......

This SAS token can be appended to the end of the blob url as :

https://<StorageAccountName>.blob.core.windows.net/<containername>/<fileName>?sv=2016-05-31&ss=bfqt&srt=sco&sp=rwdlacup&se=2017-07-03T18:21:27Z&st=2017-07-03T10:21:27Z&spr=https&sig=w1ZOS4y.......

to access blobs in a secured way within the specified start and end time with allowed access permissions as read/write/delete/list etc.

I hope you followed the article. If you have any comments, questions or suggestions, leave a message and I will try to respond at my earliest.

Advertisements