Managing Stored Access Policy

Question

I have an Azure Storage with one blob container, multiple folders in this container, and text files in those folders.

I would like to manage access using SAS tokens. I found many examples, but i don't have all the answers i need.

Can i set policies and generates SAS tokens on different levels of my container ? Like :

1. Signature for the whole container
2. Signature for one folder (and everything it contains) only in that container
3. Signature for one file only in those folders

What options are possible ?

It seems that the Azure Portal only allows me to generate SAS tokens at container level. Are policies created only through code ? Same for specific SAS tokens (option 2 & 3) ?

Thank you

Answer 1

It also appears that policies can only contain date/time restrictions and permissions. It CANNOT contain IP address restrictions (unfortunately).

Answer 2

To answer your questions:

• Policies are set at the container level. For each container, there can be a maximum of 5 access policies.
• There's no limit on number of SAS Tokens that can be created on a container. For creating SAS Token you can use access policies or you can create SAS tokens without using access policies.
• As there's no concept of folders in blob storage (they are merely the prefix for a blob), you can't create a SAS Token for a folder.
• You can create SAS Token for an individual blob. Again there's no limit on number of SAS Tokens you can create for a blob. You can create a SAS Token for a blob using the access policy on the blob container in which the blob resides or without using access policy.
• When a SAS Token is created using without an access policy, only way to revoke it before it expires that would be to change the account key. When a SAS Token is created using an access policy, to revoke it before it expires can be accomplished by changing the value of the access policy identifier or changing the parameters of that access policy.