In previous article we have seen a high level overview of some security features. Let’s generate the shared access signatures to access data objects in Azure storage.
Ways of Accessing Data in Storage
You can setup an Azure AD authentication for Azure storage and get the users authenticated. Alternatively, you can also pass the storage account access keys to the applications who need to access the data.
But storage account access keys are like master keys which give full access to the person or application who holds them. You can imagine how much impact it will have if it is compromised. Hence you may not want to go with distributing access keys option.
The next option is to create the shared access signatures.
The shared access signature allows you to create a signature which is valid only for specific duration and provide only required access to the applications. For example, you can create a shared access signature which is valid only for 1 day and allows to only read contents of table storage.
Please note that you have to provide the access key while creating the shared access signature. And Azure does not remember any of the shared access signature. What does this mean ?
This means that if the shared access signature is compromised and you want to revoke it, the only way to revoke is to regenerate the keys. Regenerating key may have impact on your application as these key might be in use at some places where you could not use any other option.
So, what is the better way ?
Create stored access policies wherever possible.
Stored access policies are tracked by Azure. While creating shared access signature you can specify the policy it is abiding to. So even if your shared access signature needs to be revoked, you can easily revoke it by deleting the policy on Azure or by changing its end time to some past time.
Let’s see this in demo.
Create Table Storage
Please follow my previous blog to create a table storage and populate it with some data.
Create Stored Access Policy
Login to Azure Portal and navigate to the storage account. Under storage account left side menu options, go to tables.
You will be able to find the table you created. Click on the three dots menu on extreme right of the table name. This will show you a popup menu. Select Access Policy option from the popup.
This will bring you to access policy panel. This right side panel shows the list of all available access policies. We do not have any policy yet so it is showing empty list.
Now click on Add Policy button. This will open Add Policy popup.
On Add policy panel, you can specify below inputs:
- Identifier, a string name to identify the policy. Put identifier “first” for this policy.
- Permissions, checked list box, you can select the required permissions from Read, Add, Update and Delete
- Start time, the date and time including timezone, at which the policy will come into effect
- Expiry time, the date and time including timezone, at which policy will be terminated
Once you fill all this information, you can click on OK and policy will be created.
Now even if you come back to Azure after couple of hours or days, you can still see the policy. That is what we mean by policies are remembered by Azure.
Shared Access Signature using Policy
Let’s use storage explorer to create the shared access signature.
You can login to your subscription in storage explorer and then navigate to the storage account. Under storage account node, you can find the tables group. Under tables group, find the table on which we created the policy.
Right click on the table and select “Get Shared Access Signature“
You will be presented with a popup where you can provide inputs about shared access signature.
Instead of specifying any other inputs, just select access policy we created in previous step and click on create button at the bottom of popup.
After clicking on create, you will be redirected to next page of the wizard. From the next page you can copy the URL and/or query string to be used along with your rest request.
Let’s test in postman !
If you do not have postman, you can directly put these URLs in browser address bar and hit enter. It would still produce same result as in postman as this is the GET request.
Create a get request in postman and only specify the URL of table without specifying the shared access signature.
URI – https://firstsampleaccount.table.core.windows.net/myfirsttable
When executed as get request from postman, we get resource not found error as output.
Now if you copy the URI which has shared access signature, you will be able to see all the data from your table storage as shown in below snapshot.
Next, if you delete the stored access policy and try to run the HTTP GET with URI and shared access signature, you will again get resource not found error.
Hope this helps you. Let me know your thoughts.