AZ-204 Developing Solutions for Microsoft Azure

Create and implement shared access signatures

Concepts

Shared access signatures (SAS) in Microsoft Azure provide a secure way to grant limited permissions to clients, allowing them to access and manipulate resources without compromising the primary account key. SAS can be used to provide temporary access to resources such as blobs, queues, tables, and files in Azure Storage, as well as for granting access to specific operations for Azure Service Bus and Azure Event Hubs. In this article, we will explore how to create and implement shared access signatures in Azure.

Components of a Shared Access Signature

Before we proceed, let’s understand the components of a shared access signature:

  1. The resource URI: This is the URL to the Azure resource that you want to grant access to. It could be a blob, queue, table, file, service bus, or event hub.
  2. The permissions: These define the operations that the client can perform on the resource. For example, read, write, or delete permissions can be specified.
  3. The start time and expiry time: These denote the period during which the shared access signature is valid. Any request made after the expiry time will be denied.
  4. The signature: This is a hash-based message authentication code (HMAC) computed using the account key or a shared access key.

Creating a Shared Access Signature

To create a shared access signature, you need to use the Azure Storage SDK or REST API. The following code snippet demonstrates how to create a shared access signature for a blob in Azure Storage using the .NET SDK:

using Microsoft.Azure.Storage;
using Microsoft.Azure.Storage.Blob;

// Retrieve the connection string for the storage account.
string connectionString = "";

// Create a CloudStorageAccount object from the connection string.
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(connectionString);

// Create a CloudBlobClient object from the storage account.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

// Get a reference to the blob container.
CloudBlobContainer container = blobClient.GetContainerReference("");

// Get a reference to the blob.
CloudBlockBlob blob = container.GetBlockBlobReference("");

// Generate a shared access signature with read and write permissions that starts now and expires in 1 hour.
string sasToken = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy
{
SharedAccessStartTime = DateTime.UtcNow,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(1),
Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write
});

// Return the shared access signature.
return sasToken;

In the above code, you need to replace “<YourStorageConnectionString>”, “<container-name>”, and “<blob-name>” with appropriate values.

Implementing the Shared Access Signature

Once you have obtained the shared access signature, you can provide it to clients so they can access the resource. The following example demonstrates how to use a shared access signature to upload a blob using the Azure Storage REST API:

PUT https://.blob.core.windows.net//?

Replace “<YourStorageAccount>”, “<container-name>”, “<blob-name>”, and “<sas-token>” with the appropriate values.

Securing the Shared Access Signature

When creating shared access signatures, it’s important to ensure that the permissions and expiry time are properly restricted based on your requirements. Avoid granting unnecessary permissions or excessive timeframes to prevent unauthorized access.

Renegotiating and Revoking Shared Access Signatures

If you need to modify the permissions or expiry time of a shared access signature, you can simply create a new signature with the desired settings and provide it to the client. To revoke access, you can invalidate the shared access signature by changing the account key or shared access key associated with it.

By using shared access signatures, you can provide secure and limited access to your Azure resources. Remember to follow security best practices and review the Microsoft Azure documentation for more details on configuring and implementing shared access signatures.

Happy coding!

Answer the Questions in Comment Section

When creating a shared access signature (SAS), which of the following token parameters is optional?

a) Start Time

b) Expiry Time

c) Permissions

d) IP Address

Correct answer: d) IP Address

True or False: Shared access signatures provide a secure way to grant limited access rights to Azure Storage resources.

Correct answer: True

Which of the following resources can be authorized using a shared access signature? (Select all that apply)

a) Blob containers

b) Tables

c) Queues

d) Virtual machines

Correct answer: a) Blob containers, b) Tables, c) Queues

When generating a shared access signature for a blob, which of the following permissions can be granted? (Select all that apply)

a) Read

b) Write

c) List

d) Delete

Correct answer: a) Read, b) Write, c) Delete

True or False: A shared access signature can only be generated using the storage account primary key.

Correct answer: False

Which of the following access options can be specified when creating a shared access signature? (Select all that apply)

a) HTTPS only

b) HTTP or HTTPS

c) FTP

d) SSH

Correct answer: a) HTTPS only, b) HTTP or HTTPS

When specifying specific IP addresses or ranges for a shared access signature, which of the following formats is correct? (Select all that apply)

a) Single IP address, e.g., 1

b) CIDR notation, e.g., 0/24

c) IP range with a wildcard, e.g., *.*

d) Domain name, e.g., example.com

Correct answer: a) Single IP address, e.g., 1, b) CIDR notation, e.g., 0/24

True or False: Shared access signatures can be revoked before their expiry time.

Correct answer: False

Which HTTP method(s) can be authorized using a shared access signature? (Select all that apply)

a) GET

b) POST

c) PUT

d) DELETE

Correct answer: a) GET, b) POST, c) PUT, d) DELETE

When creating a shared access signature, which of the following authentication options is NOT available?

a) Account key

b) Service principal

c) User identity

d) Active Directory authentication

Correct answer: c) User identity

Related Post

AZ-204 Developing Solutions for Microsoft Azure

Create and manage container images for solutions

AZ-204 Developing Solutions for Microsoft Azure

Publish an image to Azure Container Registry

AZ-204 Developing Solutions for Microsoft Azure

Run containers by using Azure Container Instance

0 0 votes
Article Rating
Subscribe
Notify of
guest
13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Juho Pesola
Juho Pesola
1 year ago

Great post on creating and implementing shared access signatures! Very helpful for my AZ-204 prep.

0
Reply
Kirk Porter
Kirk Porter
1 year ago

Could someone explain the difference between user-delegation SAS and service SAS?

0
Reply
Chloe Smith
Chloe Smith
1 year ago

Is there any performance impact when using SAS tokens?

0
Reply
Antonio Vásquez
Antonio Vásquez
1 year ago

When creating a SAS token, what’s the maximum allowable TTL (Time-to-Live)?

0
Reply
Evangelos Ebner
Evangelos Ebner
1 year ago

Appreciate the detailed explanation given in the blog!

0
Reply
Teodemiro Moura
Teodemiro Moura
1 year ago

Can SAS tokens be revoked once they are issued?

0
Reply
Oya Durak
Oya Durak
1 year ago

The blog post was quite basic. Expected more advanced content on SAS implementation.

0
Reply
Arthur Gagné
Arthur Gagné
10 months ago

How to scope SAS tokens to specific IP addresses?

0
Reply
13
0
Would love your thoughts, please comment.x
()
x