Sunday, January 26, 2020

Data Platform Tips 60 - Shared Access Signatures (SAS) in Azure Storage

The resources on Azure Storage can be provided access to your end users and customers using Shared Access Signatures (SAS). SAS is a signed URI that includes a token which contains a set of query parameters that provides access to the resources.

Azure Storage supports three types of Shared Access Signatures.

User Delegation SAS - It is secured by Azure Active Directory credentials along with the permissions specified on the SAS. This is applicable to Blob storage only.

Service SAS - It is secured with Storage Account Key and delegates access to resources on one of the storage services - Blob, Queue, Table and Azure Files.

Account SAS - It is also secured with Storage Account Key and delegates access to resources one or more of the storage services - Blob, Queue, Table and Azure Files.

A SAS can take 2 forms one is

Ad-hoc SAS - When you create an ad hoc SAS, the start time, expiry time, and permissions for the SAS are all specified in the SAS URI.

SAS with a Storage access policy - This can be created on Blob, Queue, Table or File Share and can be used to manage constraints over one or more service Shared Access Signatures.

You can create SAS either via Azure Portal, Azure CLI or even through Azure Storage Explorer.

No comments:

Post a Comment