Use user delegation SAS
You can also create user delegation SAS using Microsoft Entra ID credentials. The user delega- tion SAS is only supported by Blob Storage, and it can grant access to containers and blobs.
Currently, SAS is not supported for user delegation SAS.
Configure stored access policies
A SAS token incorporates the access parameters (start and end time, permissions, and so on) as part of the token. The parameters cannot be changed without generating a new token, and the only way to revoke an existing token before its expiry time is to regenerate the storage account key used to generate the token or to delete the blob. In practice, these limitations can make standard SAS tokens difficult to manage.
Stored access policies allow the parameters for a SAS token to be decoupled from the token itself. The access policy specifies the start time, end time, and access permissions, and the access policy is created independently of the SAS tokens. SAS tokens are generated that reference the stored access policy instead of embedding the access parameters explicitly.
With this arrangement, the parameters of existing tokens can be modified by simply editing the stored access policy. Existing SAS tokens remain valid and use the updated parameters. You can revoke the SAS token by deleting the access policy, renaming it (changing the identifier), or changing the expiry time.
Figure 2-13 shows the creation of stored access policies in the Azure portal.
FIGURE 2-13 Creating stored access policies using the Azure portal
Figure 2-14 shows stored access policies being created in Azure Storage Explorer.
FIGURE 2-14 Creating stored access policies using Azure Storage Explorer
To use the created policies, reference them by name when creating a SAS token using Storage Explorer or when creating a SAS token using PowerShell or the CLI tools.
The simplest way to manage access to a storage account is to use access keys. With the storage account name and an access key to the Azure storage account, you have full access to all data in all services within the storage account. You can create, read, update, and delete containers, blobs, tables, queues, and file shares. In addition, you have full administrative access to every- thing other than the storage account itself. (You cannot delete the storage account or change settings on the storage account, such as its type.)
Applications will use the storage account name and key for access to Azure Storage.
Sometimes, this is to grant access by generating a SAS token, and sometimes, it is for direct access with the name and key.
To access the storage account name and key, open the storage account from within the Azure portal and click Access Keys. Figure 2-15 shows the primary and secondary access keys for a storage account.
FIGURE 2-15 Access keys for an Azure storage account
Each storage account has two access keys. This means you can modify applications to use the second key instead of the first and then regenerate the first key. This technique is known as “key rolling” or “key rotation.” You can reset the primary key with no downtime for applications that directly access storage using an access key.
Storage account access keys can be regenerated using the Azure portal or the command- line tools. In PowerShell, this is accomplished with the New-AzStorageAccountKey cmdlet; with Azure CLI, you will use the az storage account keys renew command.
