Every storage account has two keys, called the access keys. You can share the access keys with the users, and they can use them in the Authorization header of their API calls. These access keys give complete access to the storage, and this exposes a vector of attack. If the key is compromised, then your sensitive data stored in the cloud is also compromised. Also, you cannot control the duration of access; if you have the key until the administrator revokes it, you will have complete access. This is not ideal when you are collaborating with partners for a limited duration. When the collaboration ends, you have to manually revoke the keys to stop further access. Another downside is that you cannot control access to services; one key is enough to access blobs, queues, tables, and files. If you want to give access to blobs only using access keys, that’s not possible. Further, you cannot give read-only access; access keys will give read-write access to the people who possess them. All these concerns are addressed by SAS.
SAS is a URI that is composed of various parameters by which you can restrict access to Azure Storage. SAS is ideal for any scenarios where you don’t want to expose or share your access keys. With the help of SAS keys, you can grant access to specific services for a specific period of time. SAS reduces the chances of compromising your account keys and adheres to the principle of least privileges.
SAS empowers you with the ability to grant granular access to the objects or services. Using SAS, you can configure the following parameters:
- Control access at the service level.
- Set a time frame during which the SAS is valid. You can specify the start and end time.
- Set permissions like read, write, delete, etc.
- Set IP ranges from which the SAS keys can be accepted.
- Set the protocol: HTTP or HTTPS.
By the way, there are three types of SAS: account level, service level, and user delegation SAS. Account-level SAS delegates have access to resources in one or more storage services like blob, table, queue, or file. Service-level SAS delegates access a resource in a single storage service. User delegation SAS is secured with Azure AD and can be used with Azure Blobs only.
Now that you are familiar with the parameters, let’s learn to generate SAS keys.
