Share via

How long are SQL VM Automated backup Shared Access Signature Tokens Valid for

Keiran Royston 0 Reputation points
2024-06-18T09:34:28.7+00:00

As part of our security and compliance checks, we've been looking at the Automated backup functionality used to take SQL backups and store them in Azure Storage. As part of this, it looks like a Shared Access Signature Token is generated and stored in the SQL instance. Please can you advise how long a Shared Access Signature Token is valid for when generated by the Automated Backup functionality?

The functionality is located in "SQL virtual machines > 'INSERT VM NAME HERE' > Settings > Backups"

SQL Server on Azure Virtual Machines
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,064 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShaktiSingh-MSFT 14,376 Reputation points Microsoft Employee
    2024-06-18T10:45:52.07+00:00

    Hi Keiran Royston •,

    Welcome to Microsoft Q&A forum.

    As I understand, you have a query regarding Shared Access Signature token for SQL Server on Azure VM and its validity.

    A shared access signature is a token that is appended to the URI for an Azure Storage resource. The token that contains a special set of query parameters that indicate how the resources may be accessed by the client. One of the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS. This signature is used by Azure Storage to authorize access to the storage resource.

    Note:

    It's not possible to audit the generation of SAS tokens. Any user that has privileges to generate a SAS token, either by using the account key, or via an Azure role assignment, can do so without the knowledge of the owner of the storage account. Be careful to restrict permissions that allow users to generate SAS tokens. To prevent users from generating a SAS that is signed with the account key for blob and queue workloads, you can disallow Shared Key access to the storage account. For more information, see Prevent authorization with Shared Key.

    Refer:

    https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

    https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal

    Let us know if this helps or you have a different ask.

    Thanks.

    0 comments