By previous article, I believe we all know that shared access signature (SAS) is a mechanism for restricting access to Azure storage. This is one that provides access to our storage account of a more secure method. Without having to access key to access the corresponding Azure storage account.
There are two commonly used types of SAS:
- Service level: only allow access to storage services in one of the following resources: Blob, queues, tables and files
- Account level: allows access to one or more of the storage service resources. All operations are available through the service level can also be carried out by SAS SAS account level
Next we will look at how to use SAS to burst with security Azure Storage is
I've got a name for the "sql12bak" storage account:
In the storage accounts, we prepared a name for the "test" of the container and to upload some files used for testing:
With the above preparations later, we can return to the main page under the storage account, you can see Shared access signature tab:
After click into Shared access signature, we can see that there are several types of settings:
- Allowed Services: We can choose services to users.
- Allowed permissions: we can choose what kind of user you want to grant permission.
- Start and end: we can set the availability period of time.
- Allowed IP address: We can access the storage account will be IP whitelist.
- The agreement allowed: only allow HTTPS or allow http and https
In this example we will configure the following permissions:
Read, List: to read and list the files in the user's account, but you can not delete, write, add resources to create goods store account
We configured to allow only HTTPS protocol access, and then click generates a connection string:
After generating the SAS and the connection string, copy the "Blob Service SAS URL":
Open Microsoft Azure Storage Explorer, then click the "Add Account":
In the "Connect to Azure Storage", select "Use Shared Access Signatures (SAS) URI", then click "Next":
Paste the copied URL. When you paste URL, it will automatically update the other text box, and then click Next.
Confirmation, click on the link:
In the storage account we are ready, we can find the "test" container. In the container, we can see that there are multiple test files:
When I double-click test.txt can read the file, as we have previously granted permission to read:
But when I try to delete or upload files, it prompts us do not have permission: