Tutorial / Cram Notes
SAS tokens grant specific permissions to resources within a storage account for a set period. These permissions can be finely tuned to allow actions such as reading, writing, and deleting on blobs, queues, tables, and files.
There are two types of SAS tokens:
- Service SAS – Grants access to specific resources in a storage account.
- Account SAS – Grants access to resources in one or more services in a storage account.
Generating a Service SAS
To generate a Service SAS, you can use either Azure Portal, Azure PowerShell, Azure CLI, or an Azure Storage SDK. Here is a simple example of generating a Service SAS for a blob using Azure PowerShell:
<code>
# Define the resource (blob)
$blob = Get-AzStorageBlob -Container “mycontainer” -Blob “myblob.jpg” -Context $ctx
# Define the expiry time and permissions for the SAS
$expiryTime = (Get-Date).AddHours(2)
$permissions = “r”
# Generate the SAS token
$sasToken = New-AzStorageBlobSASToken -Blob $blob.Name -Container $blob.Container.Name `
-Permission $permissions -ExpiryTime $expiryTime `
-Context $ctx
# Output the SAS token
Write-Output $sasToken
</code>
This generates a token that allows read access to the specified blob for two hours.
Generating an Account SAS
Generating an Account SAS typically grants broader access. Here’s an Azure CLI example for generating an Account SAS:
<code>
# Define the storage account name and resource types (service, container, object) and services (blob, file, queue, table)
accountName=”myStorageAccount”
services=”b”
resourceTypes=”sco”
permissions=”rl”
expiry=$(date -u -d “30 minutes” ‘+%Y-%m-%dT%H:%MZ’)
# Generate the SAS token
az storage account generate-sas –permissions $permissions –account-name $accountName `
–services $services –resource-types $resourceTypes `
–expiry $expiry -o tsv
</code>
This example generates an SAS that allows read and list permissions on blob storage service resources for 30 minutes.
Parameters Involved in SAS Tokens
When generating SAS tokens, you specify several parameters:
| Parameter | Description |
|---|---|
| Permissions | The allowed actions (e.g., read, write, delete). |
| Start Time | The time from which the SAS becomes valid (optional). |
| Expiry Time | The time after which the SAS is no longer valid. |
| Resource Type | Specifies the scope (Service SAS or Account SAS) and type of resources the SAS applies to. |
| IP Range | Restricts access to a specified IP range (optional). |
| Protocol | Restricts access by protocol (e.g., HTTPS-only) (optional). |
| Services | Applies to Account SAS, specifies which services (blob, file, queue, table) the SAS applies to. |
Best Practices for Managing SAS Tokens
As an Azure Administrator, it is important to adhere to best practices for managing SAS tokens:
- Use Stored Access Policies: Where possible, associate your SAS tokens with a Stored Access Policy to centrally manage and revoke permissions.
- Use the Minimum Necessary Permissions: Grant only the permissions necessary for the specific task.
- Use Short-lived SAS Tokens: Limit the time window during which a SAS is valid to reduce the risk of unauthorized access.
- Secure your SAS tokens: Treat them as secrets, and never expose them in logs or any publicly accessible areas.
Monitoring SAS Token Usage
It’s crucial to monitor the usage of SAS tokens for abnormal patterns that might indicate improper access. This can be done using Azure Monitor or Azure Storage Analytics logging.
In conclusion, Shared Access Signature tokens are an essential part of managing access to Azure Storage resources. They provide a secure and flexible way to share access without compromising the primary storage keys. As you gear up for the AZ-104 Microsoft Azure Administrator exam, remember to familiarize yourself with SAS token generation and management best practices across Azure services.
Practice Test with Explanation
True/False: Shared Access Signature (SAS) tokens can be used to delegate access to Azure Storage resources without sharing the storage account keys.
- 1) True
- 2) False
Answer: True
Explanation: SAS tokens provide a way to delegate access rights to Azure Storage resources without exposing the account keys.
Which of the following is NOT a type of Shared Access Signature (SAS)?
- 1) Account-level SAS
- 2) Service-level SAS
- 3) User Delegation SAS
- 4) Blob-only SAS
Answer: Blob-only SAS
Explanation: There are three types of SAS: Account-level, Service-level, and User Delegation SAS. Blob-only SAS is not a recognized type.
True/False: SAS tokens can be created using Azure Portal, Azure CLI, and Azure PowerShell.
- 1) True
- 2) False
Answer: True
Explanation: SAS tokens can be generated through various methods including Azure Portal, Azure CLI, and Azure PowerShell.
What information can you specify when creating a SAS token? (Select all that apply)
- 1) Resource to be accessed
- 2) Permissions
- 3) Expiry time
- 4) IP address range allowed to access
- 5) Your personal email address
Answer: Resource to be accessed, Permissions, Expiry time, IP address range allowed to access
Explanation: When creating a SAS token, you specify the resource, permissions, expiry time, and optionally an IP address range, among other attributes, but not your personal email address.
True/False: Once a Shared Access Signature is created, you can modify its expiry time.
- 1) True
- 2) False
Answer: False
Explanation: After a SAS token has been issued, it cannot be modified. You need to create a new SAS token if you need to change the expiry time.
Which key can be used to create a Service-Level SAS?
- 1) Storage account key
- 2) Primary access key
- 3) Secondary access key
- 4) Any of the above
Answer: Any of the above
Explanation: A Service-Level SAS can be generated using either the primary or secondary storage account key.
True/False: Shared Access Signatures support both Blob and File storage in Azure.
- 1) True
- 2) False
Answer: True
Explanation: SAS tokens can be used with various Azure storage services, including Blob and File storage.
What feature of Azure Storage accounts must be enabled to use User Delegation SAS?
- 1) Storage analytics
- 2) Hierarchical namespace
- 3) Azure Active Directory (Azure AD) domain services
- 4) Azure AD authentication for Azure Blobs and Queues
Answer: Azure AD authentication for Azure Blobs and Queues
Explanation: User Delegation SAS utilizes Azure AD credentials, and thus Azure AD authentication must be enabled.
True/False: The Start time for a Shared Access Signature is required and cannot be left blank.
- 1) True
- 2) False
Answer: False
Explanation: The Start time is optional when creating a SAS token; if you leave it blank, the SAS token is valid immediately.
True/False: SAS should always be used over storage account keys when providing limited and temporary access to Azure Storage resources.
- 1) True
- 2) False
Answer: True
Explanation: Using SAS is recommended over account keys because it provides a granular level of control and limits the exposure of storage account keys.
Which HTTP protocol(s) can be specified when creating a SAS token?
- 1) HTTPS only
- 2) HTTP only
- 3) Both HTTPS and HTTP
- 4) Neither; protocol specification is not required
Answer: Both HTTPS and HTTP
Explanation: When creating a SAS, you can specify which protocol(s) can be used to access the resource. For security, it is recommended to allow HTTPS only.
Interview Questions
What is a shared access signature (SAS) token?
A shared access signature (SAS) token is a query string generated for a resource that specifies a set of permissions and a time interval for accessing that resource.
What are the benefits of using SAS tokens?
Using SAS tokens allows you to grant limited access to a resource, without sharing the account key or compromising the security of the resource. SAS tokens also allow you to limit the time interval during which a client can access a resource.
How do you generate a SAS token?
You can generate a SAS token by creating a policy that defines the permissions and time interval for accessing the resource, and then using the policy to generate a SAS token for the resource.
What is the difference between an ad hoc SAS token and a SAS token created using a stored access policy?
An ad hoc SAS token is generated on the fly, and its properties cannot be modified once it has been created. A SAS token created using a stored access policy, on the other hand, can be modified after it has been created.
What types of resources can you generate SAS tokens for?
You can generate SAS tokens for a wide variety of Azure resources, including storage accounts, queues, blobs, and tables.
What are the permissions that can be granted with a SAS token?
A SAS token can grant a variety of permissions, including read, write, list, delete, add, and create.
How long can a SAS token be valid for?
You can specify the length of time that a SAS token is valid for, up to a maximum of 7 days.
What is a stored access policy?
A stored access policy is a container for defining the permissions and time interval for accessing a resource. It allows you to create and manage a set of policies that can be used to generate SAS tokens for multiple resources.
What are the benefits of using stored access policies?
Using stored access policies allows you to centrally manage the permissions and time intervals for accessing multiple resources. It also makes it easy to update or revoke access for a set of resources by modifying the stored access policy.
How do you revoke access for a SAS token?
To revoke access for a SAS token, you can delete the stored access policy or modify the policy to remove the permissions for the resource. You can also regenerate the SAS token to invalidate the previous token.
Thanks for the detailed post on generating SAS tokens for the AZ-104 exam!
I think it’s crucial to understand the different permissions you can set with a SAS token. Can anyone break this down?
Great info, but don’t forget to always set an expiry time on your SAS tokens to limit exposure.
Can someone explain how to revoke a SAS token?
I appreciate the emphasis on security best practices in this blog!
Make sure to restrict your SAS tokens to specific IP ranges when possible. This adds an extra layer of security.
I have a question: Do the permissions in a SAS token override the permissions set on the storage account?
Is there a difference in SAS token generation between Blob storage and File storage?