Microsoft Azure Shared Access Signatures

Most of the Azure cloud services are resting behind the REST APIs, so we can access them through URLs and do operations.

Public REST APIs has challenges associated to it’s security.

In Azure we have private and public resources.

Public resources are those which can directly be access by anybody form anywhere who know the URL.

Private resources which cannot be access directly, REST API URL always returns 404 error.

SAS help us to protect our data by providing a way to grant access to private resources.

Currently SAS is available for major Azure storage services and message based Service bus services.

SAS –They are collection of query string parameters that define access control detail to your resource.

Below the steps to generate SAS for Azure Blob storage account in Azure portal.

  • Go to Azure portal Storage account then select Shared access signature from blade.

SAS1

In Allowed IP address: Put the IP range for all Access i.e. 0.0.0.0-255.255.255.255

  • Then click on Generate SAS will give the respective SAS generated.

SAS2

 

Components of  SAS:

sp  :  (Key value pairs) Control access details such as permission and expiry times.

sig : signature parameter

Example of SAS token:

?sv=2016-05-31&ss=bfqt&srt=sco&sp=rwdlacup&se=2017-06-30T19:35:20Z&st=2017-06-12T11:35:20Z&sip=0.0.0.0-255.255.255.255&spr=https&sig=PxyVO9q9Vz0sg9ESs01%2BSLkbdq6d6NGhLCf1M0br77E%3D

**SAS token Combine with a valid URL of restricted resource can allow the request.

https://storageaccount17.blob.core.windows.net/ + Resource file + SAS token

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s