Tutorial / Cram Notes

SAS tokens grant specific permissions to resources within a storage account for a set period. These permissions can be finely tuned to allow actions such as reading, writing, and deleting on blobs, queues, tables, and files.

There are two types of SAS tokens:

  • Service SAS – Grants access to specific resources in a storage account.
  • Account SAS – Grants access to resources in one or more services in a storage account.

Generating a Service SAS

To generate a Service SAS, you can use either Azure Portal, Azure PowerShell, Azure CLI, or an Azure Storage SDK. Here is a simple example of generating a Service SAS for a blob using Azure PowerShell:

<code>
# Define the resource (blob)
$blob = Get-AzStorageBlob -Container “mycontainer” -Blob “myblob.jpg” -Context $ctx

# Define the expiry time and permissions for the SAS
$expiryTime = (Get-Date).AddHours(2)
$permissions = “r”

# Generate the SAS token
$sasToken = New-AzStorageBlobSASToken -Blob $blob.Name -Container $blob.Container.Name `
-Permission $permissions -ExpiryTime $expiryTime `
-Context $ctx

# Output the SAS token
Write-Output $sasToken
</code>

This generates a token that allows read access to the specified blob for two hours.

Generating an Account SAS

Generating an Account SAS typically grants broader access. Here’s an Azure CLI example for generating an Account SAS:

<code>
# Define the storage account name and resource types (service, container, object) and services (blob, file, queue, table)
accountName=”myStorageAccount”
services=”b”
resourceTypes=”sco”
permissions=”rl”
expiry=$(date -u -d “30 minutes” ‘+%Y-%m-%dT%H:%MZ’)

# Generate the SAS token
az storage account generate-sas –permissions $permissions –account-name $accountName `
–services $services –resource-types $resourceTypes `
–expiry $expiry -o tsv
</code>

This example generates an SAS that allows read and list permissions on blob storage service resources for 30 minutes.

Parameters Involved in SAS Tokens

When generating SAS tokens, you specify several parameters:

Parameter Description
Permissions The allowed actions (e.g., read, write, delete).
Start Time The time from which the SAS becomes valid (optional).
Expiry Time The time after which the SAS is no longer valid.
Resource Type Specifies the scope (Service SAS or Account SAS) and type of resources the SAS applies to.
IP Range Restricts access to a specified IP range (optional).
Protocol Restricts access by protocol (e.g., HTTPS-only) (optional).
Services Applies to Account SAS, specifies which services (blob, file, queue, table) the SAS applies to.

Best Practices for Managing SAS Tokens

As an Azure Administrator, it is important to adhere to best practices for managing SAS tokens:

  • Use Stored Access Policies: Where possible, associate your SAS tokens with a Stored Access Policy to centrally manage and revoke permissions.
  • Use the Minimum Necessary Permissions: Grant only the permissions necessary for the specific task.
  • Use Short-lived SAS Tokens: Limit the time window during which a SAS is valid to reduce the risk of unauthorized access.
  • Secure your SAS tokens: Treat them as secrets, and never expose them in logs or any publicly accessible areas.

Monitoring SAS Token Usage

It’s crucial to monitor the usage of SAS tokens for abnormal patterns that might indicate improper access. This can be done using Azure Monitor or Azure Storage Analytics logging.

In conclusion, Shared Access Signature tokens are an essential part of managing access to Azure Storage resources. They provide a secure and flexible way to share access without compromising the primary storage keys. As you gear up for the AZ-104 Microsoft Azure Administrator exam, remember to familiarize yourself with SAS token generation and management best practices across Azure services.

Practice Test with Explanation

True/False: Shared Access Signature (SAS) tokens can be used to delegate access to Azure Storage resources without sharing the storage account keys.

  • 1) True
  • 2) False

Answer: True

Explanation: SAS tokens provide a way to delegate access rights to Azure Storage resources without exposing the account keys.

Which of the following is NOT a type of Shared Access Signature (SAS)?

  • 1) Account-level SAS
  • 2) Service-level SAS
  • 3) User Delegation SAS
  • 4) Blob-only SAS

Answer: Blob-only SAS

Explanation: There are three types of SAS: Account-level, Service-level, and User Delegation SAS. Blob-only SAS is not a recognized type.

True/False: SAS tokens can be created using Azure Portal, Azure CLI, and Azure PowerShell.

  • 1) True
  • 2) False

Answer: True

Explanation: SAS tokens can be generated through various methods including Azure Portal, Azure CLI, and Azure PowerShell.

What information can you specify when creating a SAS token? (Select all that apply)

  • 1) Resource to be accessed
  • 2) Permissions
  • 3) Expiry time
  • 4) IP address range allowed to access
  • 5) Your personal email address

Answer: Resource to be accessed, Permissions, Expiry time, IP address range allowed to access

Explanation: When creating a SAS token, you specify the resource, permissions, expiry time, and optionally an IP address range, among other attributes, but not your personal email address.

True/False: Once a Shared Access Signature is created, you can modify its expiry time.

  • 1) True
  • 2) False

Answer: False

Explanation: After a SAS token has been issued, it cannot be modified. You need to create a new SAS token if you need to change the expiry time.

Which key can be used to create a Service-Level SAS?

  • 1) Storage account key
  • 2) Primary access key
  • 3) Secondary access key
  • 4) Any of the above

Answer: Any of the above

Explanation: A Service-Level SAS can be generated using either the primary or secondary storage account key.

True/False: Shared Access Signatures support both Blob and File storage in Azure.

  • 1) True
  • 2) False

Answer: True

Explanation: SAS tokens can be used with various Azure storage services, including Blob and File storage.

What feature of Azure Storage accounts must be enabled to use User Delegation SAS?

  • 1) Storage analytics
  • 2) Hierarchical namespace
  • 3) Azure Active Directory (Azure AD) domain services
  • 4) Azure AD authentication for Azure Blobs and Queues

Answer: Azure AD authentication for Azure Blobs and Queues

Explanation: User Delegation SAS utilizes Azure AD credentials, and thus Azure AD authentication must be enabled.

True/False: The Start time for a Shared Access Signature is required and cannot be left blank.

  • 1) True
  • 2) False

Answer: False

Explanation: The Start time is optional when creating a SAS token; if you leave it blank, the SAS token is valid immediately.

True/False: SAS should always be used over storage account keys when providing limited and temporary access to Azure Storage resources.

  • 1) True
  • 2) False

Answer: True

Explanation: Using SAS is recommended over account keys because it provides a granular level of control and limits the exposure of storage account keys.

Which HTTP protocol(s) can be specified when creating a SAS token?

  • 1) HTTPS only
  • 2) HTTP only
  • 3) Both HTTPS and HTTP
  • 4) Neither; protocol specification is not required

Answer: Both HTTPS and HTTP

Explanation: When creating a SAS, you can specify which protocol(s) can be used to access the resource. For security, it is recommended to allow HTTPS only.

Interview Questions

What is a shared access signature (SAS) token?

A shared access signature (SAS) token is a query string generated for a resource that specifies a set of permissions and a time interval for accessing that resource.

What are the benefits of using SAS tokens?

Using SAS tokens allows you to grant limited access to a resource, without sharing the account key or compromising the security of the resource. SAS tokens also allow you to limit the time interval during which a client can access a resource.

How do you generate a SAS token?

You can generate a SAS token by creating a policy that defines the permissions and time interval for accessing the resource, and then using the policy to generate a SAS token for the resource.

What is the difference between an ad hoc SAS token and a SAS token created using a stored access policy?

An ad hoc SAS token is generated on the fly, and its properties cannot be modified once it has been created. A SAS token created using a stored access policy, on the other hand, can be modified after it has been created.

What types of resources can you generate SAS tokens for?

You can generate SAS tokens for a wide variety of Azure resources, including storage accounts, queues, blobs, and tables.

What are the permissions that can be granted with a SAS token?

A SAS token can grant a variety of permissions, including read, write, list, delete, add, and create.

How long can a SAS token be valid for?

You can specify the length of time that a SAS token is valid for, up to a maximum of 7 days.

What is a stored access policy?

A stored access policy is a container for defining the permissions and time interval for accessing a resource. It allows you to create and manage a set of policies that can be used to generate SAS tokens for multiple resources.

What are the benefits of using stored access policies?

Using stored access policies allows you to centrally manage the permissions and time intervals for accessing multiple resources. It also makes it easy to update or revoke access for a set of resources by modifying the stored access policy.

How do you revoke access for a SAS token?

To revoke access for a SAS token, you can delete the stored access policy or modify the policy to remove the permissions for the resource. You can also regenerate the SAS token to invalidate the previous token.

0 0 votes
Article Rating
Subscribe
Notify of
guest
10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Kent Watson
1 year ago

Thanks for the detailed post on generating SAS tokens for the AZ-104 exam!

Abssilão Campos
1 year ago

I think it’s crucial to understand the different permissions you can set with a SAS token. Can anyone break this down?

Rusan Mikitin
2 years ago

Great info, but don’t forget to always set an expiry time on your SAS tokens to limit exposure.

James Harris
8 months ago

Can someone explain how to revoke a SAS token?

Tristan Patel
2 years ago

I appreciate the emphasis on security best practices in this blog!

Ibrahim Berger
1 year ago

Make sure to restrict your SAS tokens to specific IP ranges when possible. This adds an extra layer of security.

Vernon Lawrence
1 year ago

I have a question: Do the permissions in a SAS token override the permissions set on the storage account?

Rachel Perrin
1 year ago

Is there a difference in SAS token generation between Blob storage and File storage?

10
0
Would love your thoughts, please comment.x
()
x