Azure - SAS Terms

Aakash Karwa 1 Reputation point
2020-08-16T10:26:39.023+00:00

Can you explain allowed resource types (service, container, object) and allowed permissions (read, write, delete, update, process etc) on the SAS portal.

Also how to check if SAS was issued to someone previosuly?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,515 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 42,516 Reputation points Microsoft Employee
    2020-08-17T06:55:22.077+00:00

    @akashKarwa

    Allowed Service: Blob
    Allowed Resource Types: Object (Service & Container may also be required)
    Allowed Permissions: Read, Write, Create

    If there are other actions that allow you to browse and create/list Azure storage blob containers in the Azure Portal or from T-SQL, then the allowed permissions and allowed resource types will need to include the additional scope. More information about Blob Service operations and permissions, which details the specific information you are looking for.

    For general information about Shared Access Signatures, please see: Grant limited access to Azure Storage resources using shared access signatures (SAS)

    • Service (s): Access to service-level APIs (e.g., Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)
    • Container (c): Access to container-level APIs (e.g., Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)
    • Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files(e.g. Put Blob, Query Entity, Get Messages, Create File, etc.)
    • You can combine values to provide access to more than one resource type. For example, srt=sc specifies access to service and container resources.

    How to check if SAS was issued to someone previously? It's can't be checked because after the dedicated time and date it expires

    If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
    If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

    For more information: Refer to best practices when using SAS

    Required. Specifies the signed permissions for the account SAS. Permissions are only valid if they match the specified signed resource type; otherwise they are ignored.

    • Read (r): Valid for all signed resources types (Service, Container, and Object). Permits read permissions to the specified resource type.
    • Write (w): Valid for all signed resources types (Service, Container, and Object). Permits write permissions to the specified resource type.
    • Delete (d): Valid for Container and Object resource types, except for queue messages.
    • List (l): Valid for Service and Container resource types only.
    • Add (a): Valid for the following Object resource types only: queue messages, table entities, and append blobs.
    • Create (c): Valid for the following Object resource types only: blobs and files. Users can create new blobs or files, but may not overwrite existing blobs or files.
    • Update (u): Valid for the following Object resource types only: queue messages and table entities.
    • Process (p): Valid for the following Object resource type only: queue messages.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    3 people found this answer helpful.