Skip to main content
Azure - Shared Access Signature (SAS) - Account key vs User Delegation

#cloud #azure

Hi All!

I would say Azure storage account is a long last service. Whatever the services overcome one another, azure storage stays active. For example, we can take a .NET web application which can be hosted in IIS of a Azure VM, App service with or without Docker, Function app for event based. Here based on requirements App service sometimes overcome VM and function app overcomes rest of others and so on.

When we use any of the cloud service, security is one of the main pillar need to consider. Here we are going to talk about Blob storage account access granting to customer or somebody else who requires it.

Consider a scenario that customer application place a file, it would be csv or JSON or XML what ever it may be but a single type. Let's take JSON here.

We need to allow some people to access that file. Here we have two questions as below

  1. Who are those some people whether Azure AD user or Non-Azure AD user?
  2. What permission we need to grant? so only granting Read permission is sufficient or should we grant some additional access as well?

For #2, If they want to only access / download, we can grant only Read and List permission is SAS. No need to grant Write, Delete, Create etc.,

The main purpose of this post is to discuss the question no.1

we have 2 types of signing method

  1. User Delegation
  2. Account Key

If the team or specific users who are part of Azure AD needs to access blob(s), we can go for user delegation.

If the team or specific users who are not part of Azure AD needs to access blob(s), we can go for Account Key.

The vital part of Account key SAS is, If any body rotate the key (Access Key), SAS may become invalid. We need to recreate the SAS to share with the people who already has previous one.

Account Key based SAS can be generated based on Key1 or Key2 as you can see in the below image,If you rotate key1, only key1 gets afftected.

Comments

Post a Comment

Popular posts from this blog

Azure Devops Bypass policy when code push - Glimpse Devops is a culture most of the organizations embrace it. In this article let's see what is branch policy in Azure Devops (ADO). Before that, we need to know what is policy (aka) Branch policy in ADO Branch policy has set of policies to be applied on the branch typically main. By that we avoid accidental activity. Few are as Reviewers required to view the code change before move to main/master branch work item - ADO's user story / task / bug etc., any of the item number should be linked Consider a scenario that your organization's existing project has some policies like most recent code pusher can not push code again. Very rare case may happen or not, a senior developer needs a exclusion to fix an urgent pre-prod/production incident. So He/She does not want to be in that case. They want to push their code often when discussing with client manager or customer So, how can we override the bran
Post a Comment
Read more
Find your azure service/resource tab easily in chrome using an extension Irrespective of role like Azure devops, developer, network engineer, architect etc., we typically use azure portal primarily While working on issues and/or in presentation, we may require to have multiple azure tabs with different services Here consider a scenario that I am analysing an issue from logic app which uses azure function. So I need to visit logic app, function app and application insights if enabled. If we use single tab, it will take more time. So, we can have multiple tabs. Here logic app, azure function and application insights in each tab I would have. yes. It will save our time but consider that sometimes we would have more than 10 tabs at that time we may not know which tab has which resource because all browsers have A icon. So, while navigating, we may get annoyed. So, What's the solution when we use more tabs? Here we've a nice feature in chrome browser which provid
Post a Comment
Read more
Azure storage account new access tier - Glimpse Azure has introduced a new access tier for storage account called 𝐂𝐨𝐥𝐝. What is the use of it where we already have 3 access tiers as 𝐇𝐨𝐭, 𝐂𝐨𝐨𝐥 𝐚𝐧𝐝 𝐀𝐫𝐜𝐡𝐢𝐯𝐞? Let us take scenarios as below. When our document will get frequently accessed - 𝐇𝐨𝐭 When my document will be infrequently accessed (i.e Within 30 days, it can be accessed. - 𝐂𝐨𝐨𝐥 If my document will be accessed after 30 days, 𝐞𝐚𝐫𝐥𝐢𝐞𝐫 𝐰𝐞 𝐠𝐨 𝐟𝐨𝐫 𝐀𝐫𝐜𝐡𝐢𝐯𝐞 access tier but now When my document needs to be accessed within 90 days at any time - 𝐂𝐨𝐥𝐝 Data retrieval from Archive needs some process like rehydrating (i.e converting from Archive tier to (Hot or Cool) aka offline tier to online tier). To save some cost, we can go for cold tier which allows us to keep our data for 90 days instead of archive tier. Limitations and known issues. The change feed is not yet compatible with the cold tier. Object rep
Post a Comment
Read more