![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 95%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESQ%3C/text%3E%3C/svg%3E)
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,200 questions
@Shaojun Qin Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
Adding more information to the above response!
Most easiest way to provide SAS access through Storage explorer tool
Allowed Service: Blob Allowed Resource Types: Object (Service & Container may also be required) Allowed Permissions: Read, Write, Create
If there are other actions that allow you to browse and create/list Azure storage blob containers in the Azure Portal or from T-SQL, then the allowed permissions and allowed resource types will need to include the additional scope. More information about Blob Service operations and permissions, which details the specific information you are looking for.
For general information about Shared Access Signatures, please see: Grant limited access to Azure Storage resources using shared access signatures (SAS)
- Service (s): Access to service-level APIs (e.g., Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)
- Container (c): Access to container-level APIs (e.g., Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)
- Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files(e.g. Put Blob, Query Entity, Get Messages, Create File, etc.)
- You can combine values to provide access to more than one resource type. For example, srt=sc specifies access to service and container resources.
If you want to generate a SAS that can only be used to list and download blobs stored in the container, you should choose "Container" as the allowed resource type in the SAS definition.
When you choose "Container" as the allowed resource type, the SAS can be used to perform operations on the container itself, as well as on any blobs stored in the container. This means that the SAS can be used to list the blobs in the container and to download the blobs, but it cannot be used to modify or delete the blobs.
If you choose "Object" as the allowed resource type, the SAS can be used to perform operations on individual blobs, as well as on the container itself. This means that the SAS can be used to list, download, modify, and delete the blobs in the container.
Therefore, if you want to restrict the SAS to only allow listing and downloading of blobs, you should choose "Container" as the allowed resource type. This will ensure that the SAS can only be used to perform operations on the container itself and not on individual blobs.
If you provide write access to a blob, a user may choose to upload a 200 GB blob. If you've given them read access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. Again, provide limited permissions to help mitigate the potential actions of malicious users. Use short-lived SAS to reduce this threat (but be mindful of clock skew on the end time).
Grant the least possible privileges with the SAS. A security best practice is to provide a user with the minimum required privileges to the fewest possible resources. Use a read-only SAS when possible. If a user needs only read access to a single object, then grant them read access to that single object, and not read/write/delete access to all objects. This also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.
There is no direct way to identify which clients have accessed a resource. However, you can use the unique fields in the SAS, the signed IP (sip), signed start (st), and signed expiry (se) fields, to track access. For example, you can generate a SAS token with a unique expiry time that you can then correlate with the client to whom it was issued.
For more information refer to this article: https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#specify-the-signed-resource-field
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
