Create and use shared access signature (SAS) tokens

Posted on by zeusexam

Create and use shared access signature (SAS) tokens

There are a few different ways you can create a SAS token. A SAS token is a way to granularly control how a client can access data in an Azure storage account. You can also use an account- level SAS to access the account itself. You can control many things, such as what services and resources the client can access, what permission the client has, how long the token is valid for, and more.

This section examines how to create SAS tokens using various methods. The simplest way to create one is by using the Azure portal. Browse to the Azure storage account and open the Shared Access Signature blade (see Figure 2-10). You can check the services, resource types, and permissions based on specific requirements, along with the duration for the SAS token validity and the IP addresses that are providing access. Lastly, you have an option to choose which key you want to use as the signing key for this token.

FIGURE 2-10  Creating a shared access signature using the Azure portal

Once the token is generated, it will be listed along with connection string and SAS URLs, as shown in Figure 2-11.

FIGURE 2-11 Generated SAS token with connection string and SAS URLs

Also, you can create SAS tokens using Storage Explorer or the command-line tools (or programmatically using the REST APIs/SDK). To create a SAS token using Storage Explorer, you need to first select the resource (storage account, container, blob, and so on) for which the SAS token needs to be created. Then right-click the resource and select Get Shared Access Signa- ture. Figure 2-12 demonstrates how to create a SAS token using Azure Storage Explorer.

FIGURE 2-12  Creating a shared access signature using Azure Storage Explorer

Use shared access signatures

Each SAS token is a query string parameter that can be appended to the full URI of the blob or other storage resource for which the SAS token was created. Create the SAS URI by appending the SAS token to the full URI of the blob or other storage resource.

The following example shows the combination in more detail. Suppose the storage account name is examref, the blob container name is examrefcontainer, and the blob path is sample- file.png. The full URI to the blob in storage is

https://examrefstorage.blob.core.windows.net/examrefcontainer/sample-file.png

The combined URI with the generated SAS token is

https://examrefstorage.blob.core.windows.net/examrefcontainer/sample-file.png?sv=2024- 01-02&ss=bfqt&srt=sco&sp=rwdlacupx&se=2024-02-02T08:50:14Z&st=2024-01-01T00:50:14Z&spr=h ttps&sig=65tNhZtj2lu0tih8HQtK7aEL9YCIpGGprZocXjiQ%2Fko%3D

Currently, stored access policy is not supported for account-level SAS.

Leave a Reply

Your email address will not be published. Required fields are marked *