A shared access signature (SAS) provides secure delegated access to resources in Azure Storage. SAS tokens can be signed in one of two ways: by using storage access keys and by using Azure Active Directory. SAS tokens that are signed by Azure AD accounts are also known as "user delegation SAS tokens." In this post, we present an overview of storage account security and then focus on managing user delegation SAS tokens.

Baki Onur Okutucu

Onur is a subject matter expert for Office 365, Azure, and PowerShell technologies. He is the founder of Clouderz Ltd, a cloud consultancy based in London. For ten years in a row, Microsoft has recognized him as a Most Valuable Professional. You can follow Onur on Twitter: @BakiOnur.

With regard to securing Azure Storage accounts, there are several enhanced security methods out there such as access keys, SAS, storage advanced threat protection (ATP), encryption, and firewalls.

While some of these features protect access at the network level, others ensure access to sensitive data from untrusted sources is managed securely. Securing access to a specific blob in a container or an entire storage account can be accomplished in several ways. It's important to know what the best methods are to secure certain services over a storage account. Let's have a quick look at the access methods on a storage account.

Access keys ^

Access keys are used to authenticate application or user requests against a storage account. There are two keys by default, which provide services with full access to a storage account. This is why these keys need to be protected in a KeyVault for an additional layer of security. In addition, regenerating keys (key rotation) regularly is essential for ensuring the keys are secured against untrusted sources.

SAS ^

SAS is a kind of web URI that grants access rights to Azure Storage resources and services such as blob, file, table, or container. When you create a SAS, you can also specify the permissions that users or applications can have on the resources and how long the SAS will be valid. SAS tokens can be created in Azure Portal, or by using CLI or PowerShell. If required, an account-level SAS can also be created to delegate access for multiple services in a storage account, unlike granting access for individual storage account services.

SAS tokens are signed with a key when they are created. SAS tokens can be signed in two ways: using a storage account key or using Azure Active Directory.

Storage account key

SAS tokens for both individual services or entire storage accounts can be signed using any storage access key available on a storage account. So when you regenerate access keys in a storage account, you also need to regenerate existing SAS tokens that have been generated using old access keys.

Azure Active Directory

SAS tokens can be signed with a key created using Azure AD credentials. This method is known as "user delegation SAS." It protects SAS tokens using OAuth 2.0 tokens for an additional layer of security.

Creating a user delegation SAS key using PowerShell ^

Now we know that user delegation SAS is more secure than using storage access keys. So how can we use it? We will now use PowerShell to create a user delegation SAS key.

To enable using PowerShell to create a user delegation SAS, we first need to install the Az.Storage 1.3.1-preview module.

A preview version of the AZ.Storage module must be installed first

A preview version of the AZ.Storage module must be installed first

We create a new storage account context to point to a storage account on which we will create a user delegation SAS token.

A new storage account context is used to point the storage account resources

A new storage account context is used to point the storage account resources

Now I'll create a new SAS token with the following command below:

The Storage Blob Data Contributor role must be assigned to create a user delegation SAS token

The Storage Blob Data Contributor role must be assigned to create a user delegation SAS token

Unfortunately, it did not allow to create a SAS token because I don't have the required permissions to perform this operation. I will use the following command to assign my account the Storage Blob Data Contributor role. This role includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action, which enables me to create a new SAS key.

The Storage Blob Data Controller role has been assigned

The Storage Blob Data Controller role has been assigned

Now that I have access, I can run the following command:

User delegation SAS tokens can only be created for a maximum of 7 days

User delegation SAS tokens can only be created for a maximum of 7 days

What now? This time it says, “you cannot create a user delegation with an expiry time longer than 7 days.” That's fine. Let me try with 5 days, then.

Creating a new user delegation SAS token

Creating a new user delegation SAS token

All good now! All right, what am I going to do with this token?

First, I’ll create a blob in the storage account container which is a simple text file that I will use to verify access using the blob URI along with the SAS key that I’ve just generated.

Creating a test blob in a storage account container

Creating a test blob in a storage account container

The URL of the storage blob is:

https://thefriends.blob.core.windows.net/sastest/sastestblob.txt

However, this URL wouldn't work for those who are unauthorized as there is no SAS token associated with the URL, indicating that the blob can be accessed securely.

Here's where the SAS token comes into play. We can simply add the following SAS token right after the blob URL to get a full, valid URL to enable access for the blob resource:

?sv=2018-11-09&sr=c&sig=wlbwkInBv%2Ffuah2RUFzKkDJlxwNkNLnXKHHmqXp3bhw%3D&skoid=7d00fe23-0864-4cb8-8877-c7572e51f6f9&sktid=849e8524-4433-4b03-aea4-b2dd81e72401&skt=2019-10-06T19%3A22%3A18Z&ske=2019-10-11T19%3A22%3A18Z&sks=b&skv=2018-11-09&se=2019-10-11T19%3A22%3A18Z&sp=racwdl

So the complete URL would look like this:

https://thefriends.blob.core.windows.net/sastest/sastestblob.txt?sv=2018-11-09&sr=c&sig=wlbwkInBv%2Ffuah2RUFzKkDJlxwNkNLnXKHHmqXp3bhw%3D&skoid=7d00fe23-0864-4cb8-8877-c7572e51f6f9&sktid=849e8524-4433-4b03-aea4-b2dd81e72401&skt=2019-10-06T19%3A22%3A18Z&ske=2019-10-11T19%3A22%3A18Z&sks=b&skv=2018-11-09&se=2019-10-11T19%3A22%3A18Z&sp=racwdl

Accessing the resource using the blob URL with the user delegation SAS token

Accessing the resource using the blob URL with the user delegation SAS token

I can now access the file for 5 days without any issue.

If I need to remove access to the resource, I can easily revoke the keys for the storage account using the following command:

Revoking the SAS token

Revoking the SAS token

Conclusion ^

Securing resources in Azure is crucial. Using user delegation SAS keys to protect resources is one enhanced way to add an additional layer of security. Leveraging Azure Active Directory and OAuth 2.0 to sign a SAS key is more secure than using storage account keys, which can be compromised more easily. With each passing day, Azure AD involves additional services in Azure that provide higher protection.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account