Using Storage Access Policy with Azure Storage

In this post we will be going through setting up and using storage access policy with Azure storage account. We can create SAS URL but each time we create one there is no way to revoke without rotating the storage keys.

A stored access policy can be used to control shared access signatures (SAS) on the server side. We can use a stored access policy to change the start time, expiry time, or permissions for a SAS URL that is generated from a storage account. We can also revoke access after it has been issued with out having to rotate the storage keys.

Below are the storage resources that support stored access policies:

  • Blob containers
  • File shares
  • Queues
  • Tables

First we will create a new storage account in Azure.

Logon to Azure and go to storage accounts. Click Create and add in the basic details and I left the rest as default.

Azure storage account wizard

Once the storage account is deployed, we will be creating a container in the below example its called files.

Blob Container

Go in to the container and create a policy under Access policy.

Blob Container

Give the policy a name, set the required permission and start / end date. Click ok and then save the policy.

Access Policy

Once the policy is create it will show under access policy.

Now that we have the access policy we will need to create a new SAS. There are two ways to create this.

First we can create it directly from Azure storage under Shared access tokens.

Select the Stored access policy. We can also restrict access down to a specific IP.

Next click on Generate SAS token and URL.

We can also use Azure Storage Explorer to create a new SAS.

Azure Storage can be downloaded from:

https://azure.microsoft.com/en-us/features/storage-explorer/

Logon with an account that has access to the storage account.

Select the storage account that we want to create the SAS for.

Azure Storage Explorer

Select the Access policy, this will then grey out all the options as we are now using the access policy for the SAS.

shared access signature

Click create and this will generate the URL with the SAS key and will also reference the access policy

shared access signature

To test access to the blob we can connect using Storage Explorer.

Click on the connect to Azure Storage and select Blob container.

Azure Storage Explorer Resource Selection

Select SAS

Azure Storage Explorer Connection Method

Give the connection a name and add in the SAS URL generated earlier.

Azure Storage Explorer Connection Info

The last screen is a summary of details once all are confirmed, click connect.

Azure Storage Explorer Summery

We have now connected to the Files container we created with the storage policy and SAS.

To test the policy is working we can try delete the a file as I didn’t apply that permission in the policy I get access denied.

File Explorer Activity Monitor

Now we can update the policy and add the delete permission. Click save the policy can take 30 seconds to update.

Access Policy

Now when delete the file it completes without issue.

File Explorer Activity Monitor

Using a storage policy allow granular access control and also means if we need to change a permission or start / expiry time for an application or user that is using the SAS URL, we no longer have to re-issue each time we can just update the storage policy used for the SAS.

How to check VM SKU and VM Series Sizes Different Methods

When deploying VMs in Azure using template we need to be able to check the VM SKU and sizes to be able to update templates to deploy different OS version and VMs sizes.

There are a few different methods that can be used.

There is the Microsoft document, below is the link to the virtual machine size docs.

https://docs.microsoft.com/en-us/azure/virtual-machines/sizes-general

We can select the type in this case we will use general purpose.

Select the size, I selected ddv5-ddsv5-series. There will be table listing the VM sizes.

We also check the the VM size from the Azure portal by creating a new VM and changing the VM sizes.

Last method is to use either PowerShell or Azure CLI to query the require details on Windows Image SKU and VM sizes.

First we need to install the Azure AZ PowerShell module.

Run the below command to install the AZ module

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Once the module is installed run

Connect-AzAccount

We can use the Get-AzVMImagePulisher to get the publisher name in this case I was looking for Microsoft Windows.

Get-AzVMImagePublisher -Location northeurope | Where-Object {$_.PublisherName -like 'MicrosofWindows*'}

To check all available Windows Server images we can run.

Get-AzVMImageSku -Location northeurope -PublisherName MicrosoftWindowsServer -Offer Windowsserver

We can use where-object filter to by server OS version.

Get-AzVMImageSku -Location northeurope -PublisherName MicrosoftWindowsServer -Offer Windowsserver | Where-Object {$_.Skus -like '2022*'}

To get the VM series size use the below command to check size in the specific region.

Get-AzVMSize -Location northeurope

To filter by a specific cores or name we will use where-object again.

Get-AzVMSize -Location northeurope | Where-Object {$_.Numberofcores -eq '4' -and $_.Name -like 'Standard_D*'}

Now once we have the SKU and Image size we can update our template file with the required VM size and image references.