Table of Contents
Stored access policies provide an additional level of control over Shared Access Signatures (SAS) on Azure Storage services including Blob Containers, File Shares, Queues, and Tables. They provide a way to manage constraints for one or more SAS tokens without having to regenerate them.
Here’s how you can configure stored access policies on Azure Blob Containers, although similar steps apply to File Shares, Queues, and Tables:
Modifying a stored access policy affects all SAS tokens associated with it.
Suppose you have a Blob Container called ‘documents’ and you want to provide a contractor read-only access for the next month. You would:
Now, if for any reason you need to revoke that access earlier than planned, you can modify the stored access policy to have an earlier expiry date or delete it entirely to revoke access immediately.
Feature | SAS Token | Stored Access Policy |
---|---|---|
Scope | Blob/File/Queue/Table | Container/File Share/Queue/Table |
Granularity | Single entity | Multiple entities |
Lifetime | When created | Defined by the policy |
Revocation | Must regenerate SAS | Delete/modify the policy |
Supports IP restrictions? | Yes | No (but SAS using policy can) |
Supports Protocol restrictions? | Yes | No (but SAS using policy can) |
Passes on Policy changes? | No (unless recreated) | Yes, immediately affects associated SAS |
In conclusion, stored access policies are a powerful feature for managing shared access to your storage resources more effectively. By understanding and utilizing this feature, as demonstrated, you can streamline access control and manage security risks across your Azure storage accounts.
Answer: A) True
Explanation: A stored access policy provides additional control over service-level SAS, which includes the ability to manage constraints for a SAS without regenerating the SAS itself.
Answer: D) Access Tier
Explanation: Access Tier is not an attribute of a stored access policy. A stored access policy’s attributes include Start Time, Expiry Time, and Permissions.
Answer: B) False
Explanation: The properties of an existing stored access policy can be modified. Changing a stored access policy automatically affects all associated SAS tokens.
Answer: A) 5
Explanation: You can have up to 5 stored access policies per container, queue, table, or file share in Azure Storage.
Answer: B) False
Explanation: A stored access policy is not required to create a service-level SAS, but it allows you to manage a group of similar SAS tokens and provides additional control.
Answer: A) True
Explanation: A stored access policy can be used to extend the expiry time of a service SAS or to change its permissions, without reissuing the SAS.
Answer: A) True
Explanation: A shared access signature (SAS) can be created without being associated with a stored access policy. This type of SAS is called an ad hoc SAS.
Answer: B) False
Explanation: Once a stored access policy is deleted, any associated SAS tokens immediately become invalid, regardless of their set expiry time.
Answer: C) Set of permissions for the SAS
Explanation: The permission attribute of a stored access policy specifies the set of permissions that the SAS will have.
Answer: B) False
Explanation: Stored access policies are only available for Service SAS, not for Account SAS.
Answer: D) All of the above
Explanation: Stored access policies are supported by Azure Storage services like Blob containers, Queue message containers, and Table message containers.
Answer: A) An identifier
Explanation: When defining a stored access policy, an identifier must be assigned to the policy. This identifier is used to associate the access policy with a SAS.
If this material is helpful, please leave a comment and support us to continue.