Microsoft Azure Storage and Database Part 8 – Secure Azure Storage Using Stored Access Policy


Hello Everybody,

Hope you all are doing good !!! 🙂 .

In our last article we have discussed how to secure our storage account using Shared Access Signature (SAS). Today in this article we will discuss another way to secure our Storage account. Using Stored Access Policy we can add one extra layer of support to manage our Shared Access Signature (SAS) more efficiently.

Get A SAS URI :

When we are generating a Shared Access Signature, Azure provides two following way to create the signature.

  1. Ad hoc SAS: In this approach, we are defining all the attributes at time of creation as we did in our previous article.
  2. SAS with stored access policy:  In this approach, we are creating a access policy where we are managing constraints (permissions, start time and end time) for more than one SAS. In the second choice, when we need a SAS URI, we can create it and specify only the name of the stored access policy instead of all the parameters required on the ad hoc version. When authorization happens, the required information is retrieved from the stored access policy we configured. Today we are going to discuss on this approach.

Previous Azure series :

  1. Learn Basics Of Azure Networking In 60 Hours
  2. Learn Basic Of Azure Active Directory And Azure Identity And Access Management
  3. Azure DevOps – Learn at one place

If you have missed our previous articles on Azure Storage and Database Series, please check it in following links.

Part 1 – Overview Of Azure Storage and Database

Part 2 – Azure Storage Account

Part 3 – Azure Blob Storage

Part 4 – Work With Azure Blob Storage

Part 5 – Storage Explorer For Azure Storage

Part 6 – Azure Blob Storage – Snapshot Using Storage Explorer

Part 7 – Azure Blob Storage – Shared Access Signature (SAS)

Next Article : Part 9 – Secure Azure Storage Using RBAC

Stored Access Policy :

Stored Access Policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. So let’s go through the following steps to configure our Stored Access Policy.

Note: We can add a Stored Access Policy for a Queue as we are doing for Blob container in this article.

Step 1 – Log-in to Azure portal and navigate to the storage account as shown in the following figure.

Figure 1 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – My blob container

Step 2 – Navigate to the container we want to provide access to (‘kj-container’ in this example). As showing in the following image, it will share all blobs under this container. Click Access Policy as showing from Settings section of left menu.

Figure 2 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Add new Access Policy

Step 3 – From Access policy pagethen click Add policy for Stored Access Policy section.

Figure 3 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Add New Stored Access Policy

Step 4 – The Add policy window will appear. Here we need to provide all required information as per our requirements and click OK button to add the policy.

Figure 4 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Provide Stored Access Policy attributes value
Figure 5 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Provide Stored Access Policy attributes value
Figure 6 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Provide Stored Access Policy attributes value

Step 5 – As showing in the following figure, the policy added to the list. Now Click Save button to finish the Stored Access Policy configuration.

Figure 7 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Save Stored Access Policy

Generate Shared Access Signature (SAS) Using Microsoft Azure Storage Explorer :

Now we are ready with our Stored Access Policy and time comes to get our Shared Access Signature. In our previous article we have seen how to get SAS in ad hoc, where we had to provide all information during the configuration. But here in this approach, we only configure the Stored Access Policy name and in turn SAS will get all required information from the Stored Access Policy.

Here we are getting SAS at container level, so all files under this container can be access using the same SAS query starting. We will generate the SAS using Microsoft Azure Storage Explore tool. In one of our previous article we have discussed about this tool. So we have configured the client version of Microsoft Azure Storage Explore tool in our machine. Let’s go-through the following steps.

Step 1- Open the Microsoft Azure Storage Explore tool and navigate to our container after successfully log-in as showing in the following figure.

Figure 8 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Storage Explore

Step 2 – Select the container (kj-container) and Click on “Get Shared Access Signature…” from the context menu as showing in the following figure.

Figure 9 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Storage Explore- Get SAS

Step 3 – From Shared Access Signature pop-up window select the Stored Access Policy we have created in the above section ( TwoDaysReadAccess_KJ-Container) . This will automatically set other information as per the access policy configuration. We can configure the key value. Click Create to generate the SAS URI as showing in the following figure.

Figure 10 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Storage Explore- Select Stored Access Policy

Step 4 – As showing in the following figure, we have now the query string to copy and append after our blob URI. Click Copy button to copy the content.

Figure 11 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Storage Explore -SAS URI

Generate Shared Access Signature (SAS) Using Portal :

In the above section, we saw how to generate SAS URI using Microsoft Azure Storage Explorer. Here we will discuss how to get the SAS URI using portal.

Step 1 – Login to portal and select Storage Account (kj-container). Then, select Storage Explorer (preview) as shown in the following figure.

Figure 12– Microsoft Azure Storage and Database – SAS-Stored Access Policy – Storage Explore preview

Step 2 – Expand BlOB CONTAINERS. Select our Blob container (kj-container), right click and click Get Shared Access Signature as showing in the following figure.

Figure 13 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Storage Explore preview – Get SAS URL

Step 3 – From Shared Access Signature page, Select our Stored Access Policy as shown in the following figure and it will automatically map other necessary attributes as it did in our previous section. Click Create to generate the SAS URI.

Figure 14 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Storage Explore preview – Select Stored Access Policy

Step 4 – As showing in the following figure, we have now the query string to copy and append after our blob URI. Click Copy button to copy the content.

Figure 15 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Storage Explore preview- Copy SAS URI

Let’s try to test the query string how it works. As we discussed, we need to append this query string with our blob URL. for example the path would be like : : https://{BlobAccountURL}/{containerName}/{filename.ext}?{Querystring}

If we consider the following rule our URL would be : : https://kj21storageacount.blob.core.windows.net/kj-container/Annapurna%20Moharana.pdf?si=TwoDaysReadAccess_KJ-Container&sv=2020-02-10&sr=c&sig=05zW478aS2mJJ18fdUYHRDLOVGMUrXs0Y1VyzyxZEFs%3D

If we try to access our blob directly without SAS URL it will show ResourceNotFound error page as showing in the following figure.

Figure 16 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Error

In the following figure we can see the blob is now accessible using SAS URL as it’s query string.

Figure 17 – Microsoft Azure Storage and Database – SAS-Stored Access Policy – Success

Advantage Of This Approach :

The advantage using Stored Access Policy here, is not only avoiding extra effort to add all the attributes of access for each creation, but also how we revoke the SAS. we can revoke it by changing the expiry time on the policy, or simply deleting the policy itself. Then, all SAS URI’s that inherit from that stored access policy will immediately be modified. This is preferable to changing our storage account keys which could have severe impact on our applications.

I hope this is informative to you. Please let me know if I missed anything important or if my understanding is not up to the mark.

Next Article : Part 9 – Secure Azure Storage Using RBAC

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.

Thanks for reading 🙂 .

Manas Ranjan Moharana

Around 11+ years of total IT experience and since last 10 years working on almost on all version of SharePoint .Interested in learning and sharing something new to be helthy.

You may also like...

20 Responses

  1. May 23, 2021

    […] our last article we have discussed how to secure our storage account using Shared Access Signature (SAS) With Stored Access Policy. Today in this article we will discuss how to secure our Storage account using Azure role-based […]

  2. May 29, 2021

    […] my journey with Azure, when I was trying to create a Stored Access Policy using following script snippet for my blob container using PowerShell one Error occur and the Error […]

  3. May 30, 2021

    […] one of our last article we have discussed how to configure Stored Access Policy and SAS based on Stored Access Policy. Today in this article, we will discuss how to configure Stored Access Policy using […]

  4. May 31, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  5. June 11, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  6. June 13, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  7. June 18, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  8. June 19, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  9. June 21, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  10. June 22, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  11. June 23, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  12. June 25, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  13. June 28, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  14. June 29, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  15. July 2, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  16. July 3, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  17. July 6, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  18. July 12, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  19. July 24, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

  20. July 31, 2021

    […] Part 8 – Secure Azure Storage Using Stored Access Policy […]

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: