Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| azure:az-500:storage_security [2022/07/20 19:02] – mmuze | azure:az-500:storage_security [2022/07/20 19:08] (current) – [Shared Access Signature(SAS)] mmuze | ||
|---|---|---|---|
| Line 12: | Line 12: | ||
| * [[https:// | * [[https:// | ||
| * [[https:// | * [[https:// | ||
| - | * A [[https:// | ||
| - | |||
| ==== Types of Authorization ==== | ==== Types of Authorization ==== | ||
| Line 32: | Line 30: | ||
| * The only way to revoke a SAS (that was signed by a key) is to revoke (regenerate) the access key that was used to sign it. This is not ideal because that key could be used in other ways and this would be a disruptive operation. That is where a **stored access policy** can be of use (for service-level SAS only). | * The only way to revoke a SAS (that was signed by a key) is to revoke (regenerate) the access key that was used to sign it. This is not ideal because that key could be used in other ways and this would be a disruptive operation. That is where a **stored access policy** can be of use (for service-level SAS only). | ||
| + | * There are tree types of SAS, user delegated, service SAS and account SAS. | ||
| * A **user delegation** SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only. | * A **user delegation** SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only. | ||
| * A **service SAS** is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. A service-level SAS applies to just one service (e.g. blob, Azure Files...). | * A **service SAS** is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. A service-level SAS applies to just one service (e.g. blob, Azure Files...). | ||
| Line 37: | Line 36: | ||
| * A **SAS** can take one of two forms. **Ad hoc SAS** where the expiry and permissions are part of the SAS URI and Service **SAS** with **stored access policy** where the SAS references the policy that defines the expiry and permissions. | * A **SAS** can take one of two forms. **Ad hoc SAS** where the expiry and permissions are part of the SAS URI and Service **SAS** with **stored access policy** where the SAS references the policy that defines the expiry and permissions. | ||
| - | ==== Types ==== | + | |
| - | * **service-level**, | + | |
| - | * **account level ** | + | |
| - | * **user delegation | + | |
| ===== Stored Access Policy ===== | ===== Stored Access Policy ===== | ||
| > A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. | > A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. | ||
| + | * A [[https:// | ||
| * [[https:// | * [[https:// | ||