azure:az-500:storage_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:storage_security [2022/07/20 18:50] – [Shared Access Signature(SAS)] mmuzeazure:az-500:storage_security [2022/07/20 19:08] (current) – [Shared Access Signature(SAS)] mmuze
Line 12: Line 12:
   * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]]   * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]]
   * [[https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory|Azure AD]] is the recommended way to provide authorization for storage account access.   * [[https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory|Azure AD]] is the recommended way to provide authorization for storage account access.
-  * A [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy|stored access policy]] is an additional level of protection that can be used in conjunction with //service-level shared access signatures (SAS)// authentication. It provides and expiration date and permissions that can be used independent of the SAS token/URL. This provides more flexibility for revoking access. 
- 
  
 ==== Types of Authorization ==== ==== Types of Authorization ====
Line 31: Line 29:
   * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]]   * [[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]]
  
-  * The only way to revoke a SAS is to revoke (regenerate) the access key that was used to sign it. This is not ideal because that key could be used in other ways and this would be a disruptive operation. That is where a **stored access policy** can be of use (for service-level SAS only).+  * The only way to revoke a SAS (that was signed by a key) is to revoke (regenerate) the access key that was used to sign it. This is not ideal because that key could be used in other ways and this would be a disruptive operation. That is where a **stored access policy** can be of use (for service-level SAS only)
 +  * There are tree types of SAS, user delegated, service SAS and account SAS.
   * A **user delegation** SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.   * A **user delegation** SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.
   * A **service SAS** is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. A service-level SAS applies to just one service (e.g. blob, Azure Files...).   * A **service SAS** is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. A service-level SAS applies to just one service (e.g. blob, Azure Files...).
Line 37: Line 36:
  
   * A **SAS** can take one of two forms. **Ad hoc SAS** where the expiry and permissions are part of the SAS URI and Service **SAS** with **stored access policy** where the SAS references the policy that defines the expiry and permissions.   * A **SAS** can take one of two forms. **Ad hoc SAS** where the expiry and permissions are part of the SAS URI and Service **SAS** with **stored access policy** where the SAS references the policy that defines the expiry and permissions.
-==== Types ==== +    user delegated SAS and account SAS must be an ad hoc SAS
-  * **service-level**, gives access at the storage account level +
-  * **account level ** +
-  * **user delegation SAS**+
  
 ===== Stored Access Policy ===== ===== Stored Access Policy =====
 > A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. > A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.
 +  * A [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy|stored access policy]] is an additional level of protection that can be used in conjunction with //service-level shared access signatures (SAS)// authentication. It provides and expiration date and permissions that can be used independent of the SAS token/URL. This provides more flexibility for revoking access.
   * [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy]]   * [[https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy]]
  
  • azure/az-500/storage_security.1658343040.txt.gz
  • Last modified: 2022/07/20 18:50
  • by mmuze