Table of Contents
SAS tokens grant specific permissions to resources within a storage account for a set period. These permissions can be finely tuned to allow actions such as reading, writing, and deleting on blobs, queues, tables, and files.
There are two types of SAS tokens:
To generate a Service SAS, you can use either Azure Portal, Azure PowerShell, Azure CLI, or an Azure Storage SDK. Here is a simple example of generating a Service SAS for a blob using Azure PowerShell:
<code>
# Define the resource (blob)
$blob = Get-AzStorageBlob -Container “mycontainer” -Blob “myblob.jpg” -Context $ctx
# Define the expiry time and permissions for the SAS
$expiryTime = (Get-Date).AddHours(2)
$permissions = “r”
# Generate the SAS token
$sasToken = New-AzStorageBlobSASToken -Blob $blob.Name -Container $blob.Container.Name `
-Permission $permissions -ExpiryTime $expiryTime `
-Context $ctx
# Output the SAS token
Write-Output $sasToken
</code>
This generates a token that allows read access to the specified blob for two hours.
Generating an Account SAS typically grants broader access. Here’s an Azure CLI example for generating an Account SAS:
<code>
# Define the storage account name and resource types (service, container, object) and services (blob, file, queue, table)
accountName=”myStorageAccount”
services=”b”
resourceTypes=”sco”
permissions=”rl”
expiry=$(date -u -d “30 minutes” ‘+%Y-%m-%dT%H:%MZ’)
# Generate the SAS token
az storage account generate-sas –permissions $permissions –account-name $accountName `
–services $services –resource-types $resourceTypes `
–expiry $expiry -o tsv
</code>
This example generates an SAS that allows read and list permissions on blob storage service resources for 30 minutes.
When generating SAS tokens, you specify several parameters:
Parameter | Description |
---|---|
Permissions | The allowed actions (e.g., read, write, delete). |
Start Time | The time from which the SAS becomes valid (optional). |
Expiry Time | The time after which the SAS is no longer valid. |
Resource Type | Specifies the scope (Service SAS or Account SAS) and type of resources the SAS applies to. |
IP Range | Restricts access to a specified IP range (optional). |
Protocol | Restricts access by protocol (e.g., HTTPS-only) (optional). |
Services | Applies to Account SAS, specifies which services (blob, file, queue, table) the SAS applies to. |
As an Azure Administrator, it is important to adhere to best practices for managing SAS tokens:
It’s crucial to monitor the usage of SAS tokens for abnormal patterns that might indicate improper access. This can be done using Azure Monitor or Azure Storage Analytics logging.
In conclusion, Shared Access Signature tokens are an essential part of managing access to Azure Storage resources. They provide a secure and flexible way to share access without compromising the primary storage keys. As you gear up for the AZ-104 Microsoft Azure Administrator exam, remember to familiarize yourself with SAS token generation and management best practices across Azure services.
Answer: True
Explanation: SAS tokens provide a way to delegate access rights to Azure Storage resources without exposing the account keys.
Answer: Blob-only SAS
Explanation: There are three types of SAS: Account-level, Service-level, and User Delegation SAS. Blob-only SAS is not a recognized type.
Answer: True
Explanation: SAS tokens can be generated through various methods including Azure Portal, Azure CLI, and Azure PowerShell.
Answer: Resource to be accessed, Permissions, Expiry time, IP address range allowed to access
Explanation: When creating a SAS token, you specify the resource, permissions, expiry time, and optionally an IP address range, among other attributes, but not your personal email address.
Answer: False
Explanation: After a SAS token has been issued, it cannot be modified. You need to create a new SAS token if you need to change the expiry time.
Answer: Any of the above
Explanation: A Service-Level SAS can be generated using either the primary or secondary storage account key.
Answer: True
Explanation: SAS tokens can be used with various Azure storage services, including Blob and File storage.
Answer: Azure AD authentication for Azure Blobs and Queues
Explanation: User Delegation SAS utilizes Azure AD credentials, and thus Azure AD authentication must be enabled.
Answer: False
Explanation: The Start time is optional when creating a SAS token; if you leave it blank, the SAS token is valid immediately.
Answer: True
Explanation: Using SAS is recommended over account keys because it provides a granular level of control and limits the exposure of storage account keys.
Answer: Both HTTPS and HTTP
Explanation: When creating a SAS, you can specify which protocol(s) can be used to access the resource. For security, it is recommended to allow HTTPS only.
A shared access signature (SAS) token is a query string generated for a resource that specifies a set of permissions and a time interval for accessing that resource.
Using SAS tokens allows you to grant limited access to a resource, without sharing the account key or compromising the security of the resource. SAS tokens also allow you to limit the time interval during which a client can access a resource.
You can generate a SAS token by creating a policy that defines the permissions and time interval for accessing the resource, and then using the policy to generate a SAS token for the resource.
An ad hoc SAS token is generated on the fly, and its properties cannot be modified once it has been created. A SAS token created using a stored access policy, on the other hand, can be modified after it has been created.
You can generate SAS tokens for a wide variety of Azure resources, including storage accounts, queues, blobs, and tables.
A SAS token can grant a variety of permissions, including read, write, list, delete, add, and create.
You can specify the length of time that a SAS token is valid for, up to a maximum of 7 days.
A stored access policy is a container for defining the permissions and time interval for accessing a resource. It allows you to create and manage a set of policies that can be used to generate SAS tokens for multiple resources.
Using stored access policies allows you to centrally manage the permissions and time intervals for accessing multiple resources. It also makes it easy to update or revoke access for a set of resources by modifying the stored access policy.
To revoke access for a SAS token, you can delete the stored access policy or modify the policy to remove the permissions for the resource. You can also regenerate the SAS token to invalidate the previous token.
If this material is helpful, please leave a comment and support us to continue.