14 March 2022

  • 2

  • 2,555 views

  • 0

14 March 2022

2,555 views
2 0

Azure Storage Policies: Control SAS from the server side

*Update at the end

Azure Storage Policies are around for some time already, but they manage to stay unnoticed. This feature is very powerful and few people know about it.

Probably you already know about Storage Keys and Shared Access Security. It’s important to highlight one limitation: Once we generate a SAS key, we can’t change or cancel it anymore.

The SAS keys are not stored on the server side. Once they are generated, the server has no control over it and we can’t block it or make any change.

Very few people know there is a solution for this: Azure Storage Policies. The process is very simple. You create a Storage Policy for your container. You create a SAS key based on the storage policy and the magic is done. The policy is a server object which give you control over the generated SAS keys.

Creating and Testing a Storage Policy

Let’s follow some steps and test this concept.

1) Locate a file in a private blob container on your Azure subscription

2) Try to open the file URL. You can’t, unless you provide authentication. We will do this with a SAS key.

3) On the container, click “…” to open the menu and click Access Policies

 

4) Configure the permission, start date and expiration date

 

This was the easy part. The next step is to create the SAS key based on the storage policy. You can’t do this through the portal. You can use Powershell to create the key or use Azure Storage Explorer. The Azure Portal doesn’t implement this feature. This explains a lot why this feature goes unnoticed.

5) On Azure Storage Explorer, right click the file and select the option called Generate Shared Access Signature. The resulting window allows you to choose an existing Azure Policy to tie the key with.

6) Click Create button to generate the key.

The resulting key is different than the usual SAS keys. It doesn’t include the parameters for the expiration date and the user permission. It includes a reference to the policy and it will use the information it has.

This enables you to manage many different scenarios for the generated SAS keys:

  • Modify the user permission in the SAS keys
  • Change the expiration date in the SAS keys
  • Disable the SAS keys – by dropping the policy

Let’s complete some final tests to illustrate this:

7) Try to download the file using the generated link. You will be able to download it.

8) On the portal, delete the storage policy.

 

9) Try to download the file again. You may need to use an anonymous window to avoid cache. You will receive an authentication error.

 

Limitations

The Storage Account policies are created on the level of the container. You can control the user permission, but you can’t control the granularity. The use will have access to the entire container.

The policies are available for blob containers only, they can’t be created on file shares.

Summary

Storage Account Policy is a hidden feature which enables us to do what most people believe not being possible: Manage SAS keys from the server side.

UPDATE 22/05: When I wrote this blog the policies could only be used in Azure Storage Explorer. Some weeks later, a new option became available on the Azure portal, allowing us to use the policies with SAS keys generated in the portal.

  • 2

  • 2,555 views

Rate this article

Click to rate this post!
[Total: 3 Average: 3.3]

Dennes Torres

Dennes Torres is a Data Platform MVP and Software Architect living in Malta who loves SQL Server and software development and has more than 20 years of experience. Dennes can improve Data Platform Architectures and transform data in knowledge. He moved to Malta after more than 10 years leading devSQL PASS Chapter in Rio de Janeiro and now is a member of the leadership team of MMDPUG PASS Chapter in Malta organizing meetings, events, and webcasts about SQL Server. He is an MCT, MCSE in Data Platforms and BI, with more titles in software development. You can get in touch on his blog https://dennestorres.com or at his work https://dtowersoftware.com

Follow Dennes Torres via

View all articles by Dennes Torres

Load comments

Related articles

 10 April 2024
10 April 2024

Azure OpenAI and RAG Security

0
1
The most watched videos on my youtube channel are related to security. Azure SQL Networking Secrets and Cloud Security: Secure Access from your Applications to Azure SQL explain private endpoints from different points of views: Azure SQL and Function Apps. The concepts of Private Endpoints apply to most Azure features and even the relation of … Read more
0
1
06 March 2023
06 March 2023

Synapse Serverless and Dedicated Pool: The differences no one told you about

0
6
The basic differences between Synapse Serverless and the Dedicated pool are obvious: While the serverless doesn’t store data, only access data from storage accounts and scale the MPP environment automatically, the dedicate SQL Pool keeps a static number of servers according to the service level we choose and a constant number of distributions – always … Read more
0
6
18 October 2021
18 October 2021

Creating Views in Azure Portal

0
1
Resource groups and subscriptions sometimes are not enough to organize the content of our Azure Portal. I was preparing for a presentation and looking into a lot of resource groups, but during the presentation only a few of them should appear for me. How could I control this? The need is the mother of the … Read more
0
1

Tags

, ,