Using Storage Access Policy with Azure Storage

In this post we will be going through setting up and using storage access policy with Azure storage account. We can create SAS URL but each time we create one there is no way to revoke without rotating the storage keys.

A stored access policy can be used to control shared access signatures (SAS) on the server side. We can use a stored access policy to change the start time, expiry time, or permissions for a SAS URL that is generated from a storage account. We can also revoke access after it has been issued with out having to rotate the storage keys.

Below are the storage resources that support stored access policies:

  • Blob containers
  • File shares
  • Queues
  • Tables

First we will create a new storage account in Azure.

Logon to Azure and go to storage accounts. Click Create and add in the basic details and I left the rest as default.

Azure storage account wizard

Once the storage account is deployed, we will be creating a container in the below example its called files.

Blob Container

Go in to the container and create a policy under Access policy.

Blob Container

Give the policy a name, set the required permission and start / end date. Click ok and then save the policy.

Access Policy

Once the policy is create it will show under access policy.

Now that we have the access policy we will need to create a new SAS. There are two ways to create this.

First we can create it directly from Azure storage under Shared access tokens.

Select the Stored access policy. We can also restrict access down to a specific IP.

Next click on Generate SAS token and URL.

We can also use Azure Storage Explorer to create a new SAS.

Azure Storage can be downloaded from:

https://azure.microsoft.com/en-us/features/storage-explorer/

Logon with an account that has access to the storage account.

Select the storage account that we want to create the SAS for.

Azure Storage Explorer

Select the Access policy, this will then grey out all the options as we are now using the access policy for the SAS.

shared access signature

Click create and this will generate the URL with the SAS key and will also reference the access policy

shared access signature

To test access to the blob we can connect using Storage Explorer.

Click on the connect to Azure Storage and select Blob container.

Azure Storage Explorer Resource Selection

Select SAS

Azure Storage Explorer Connection Method

Give the connection a name and add in the SAS URL generated earlier.

Azure Storage Explorer Connection Info

The last screen is a summary of details once all are confirmed, click connect.

Azure Storage Explorer Summery

We have now connected to the Files container we created with the storage policy and SAS.

To test the policy is working we can try delete the a file as I didn’t apply that permission in the policy I get access denied.

File Explorer Activity Monitor

Now we can update the policy and add the delete permission. Click save the policy can take 30 seconds to update.

Access Policy

Now when delete the file it completes without issue.

File Explorer Activity Monitor

Using a storage policy allow granular access control and also means if we need to change a permission or start / expiry time for an application or user that is using the SAS URL, we no longer have to re-issue each time we can just update the storage policy used for the SAS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s