How to Generate Shared Access Signatures with Azure Storage Accounts
Azure storage wouldn’t be very useful if it couldn’t be shared with others, right? After all, what’s the point of hoarding all that data if you’re going to keep it to yourself? That would be selfish. But you need a secure way to manage who has access to your data hoard.
Thankfully, Azure IAM has tools for just such a thing, and that specific Azure IAM tool is called Shared Access Signatures. So, how do you generate a shared access signature for Azure storage accounts?
An Overview of Generating Shared Access Signatures Using Azure Storage Accounts
In this video, CBT Nuggets trainer Knox Hutchinson walks you through how you can generate shared access signatures via Azure Storage Accounts.
How to Generate Shared Access Signatures with Azure Storage Accounts
Generating shared access signatures with Azure storage is easy. Let’s walk through the process.
First, log in to your Azure web management portal. Once the Azure portal loads, navigate to the resource for the Azure storage blob you want to share. Azure has various types of storage mechanisms, so make sure to navigate to the appropriate resource.
Once on the resource management page, locate the Settings tree from the left-hand navigation menu. The Settings section of the left-side navigation menu has an option called Shared Access Signature. Click that option to open the Shared Access Signature settings.
Configuring Azure IAM Shared Access Signatures
The Shared Access Signature management page has various settings that need to be configured. The first set of settings defines the allowed services the signature is authorized to access. These services include Blob, File, Queue, and Table. Check the boxes next to the services required to provision authorization.
The following setting configures authorization for the allowed resource types, which include service, container, and object. Again, check the resource types that the signature being provisioned requires.
Finally, the last group of checkboxes specifies read/write settings. Of course, read/write settings also include optional permissions for delete, list, add, create, update, and process functions. Azure shared access signatures are highly granular.
Azure storage services have the option to enable versioning. Explaining object versioning is beyond the scope of this article, but a lone setting allows the signature to delete object versions. Consider enabling this option with care.
Managing Azure IAM Shared Access Signature Expirations & Security
Shared access signatures do not live indefinitely in Azure. As such, you’ll also need to specify the start and expiry date of each signature. This defines how long the shared access signature can be used.
Whitelisting Azure Shared Access Signature Access
If security is of the utmost concern, each access signature can include a whitelist for IP addresses. If configured, only specific IP addresses can use the signature for Azure access.
Enable HTTPS Access Only
Likewise, Azure admins can allow HTTP and HTTPS options or restrict connections to HTTPS only. Azure defaults to HTTPS access only, which should not be changed unless required. Otherwise, communication with Azure using the signature may not be encrypted.
Sign the Signature & Generate
Azure requires all shared access signatures to be signed. Each Azure account can sign access signatures using a primary or secondary key. However, today, Azure calls them key 1 and key 2—Azure defaults to using key 1, which is acceptable for most signatures. Explaining why you may want to use key 1 vs. key 2 is beyond the scope of this article.
Once your Azure shared access signature is configured, click the Generate SAS and Connection String. Azure will create the shared access signatures, and three form fields will appear. The first is the connection string to the storage resource, and the second is the token used for authorization (or the shared access signature).
Start Learning Azure IAM Today!
This has only been a brief Azure IAM tutorial. Azure IAM has so many more functions, however. Likewise, we didn’t have time to dive into the details of each setting mentioned above. What is the difference between keys 1 and 2, or what’s up with that preferred routing tier that wasn’t mentioned in this article so obviously showcased in the Shared Access Signature YouTube video?
You’ll need to sign up for Knox Hutchinson’s Azure IAM online training at CBT Nuggets to learn more. Knox is a security guru and a skilled Azure engineer. He does a deep dive into everything related to Azure IAM. You’ll walk away from his course and be able to lock down and control Azure services like a pro.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.