Reputation: 934
How to generate SAS Token to connect to Azure Storage Account - File Share?
In order to connect to Azure Shared Storage(in particularly File Share) to perform tasks like copying/removing/modifying files from remote to azure storage, we need either SAS(Shared Access Signature) or Active Directory Settings Enabled (and then assign roles based on requirement).
I wanted to implement the access using SAS approach, I tried generating SAS from UI, tried generating SAS by making use of Access Keys(Present Inside Storage Account - Confidential and most important key for storage account) both worked. But UI approach isn't conducive in my case, and Access token can't be given to anyone apart from the administrator.
So is there a way to generate SAS using Azure AD credentials or some service where we can create an account and password/key and that account can be used to create SAS token via curl(REST call) and not generating SAS via access keys(admin key).
Upvotes: 1
Views: 6242
Answers (4)
Reputation: 1014
I just wanted to add the details on how to generate the SAS token via UI, as it's not in the documentation, and also not available in the Azure portal. Not sure why it's kind of hidden. The way to do it is to install and open Azure Storage Explorer, right-click the File Storage you want, and select "Get Shared Access Signature..." in the pop up menu.
Thanks for the author of this article for providing the solution.
Upvotes: 0
Reputation: 1073
In your middleware service you can use below code:
ShareSasBuilder sasBuilder = new(ShareSasPermissions.Write,
DateTimeOffset.UtcNow.AddMinutes(_expiryDuration))
{
Protocol = SasProtocol.Https,
StartsOn = DateTimeOffset.UtcNow
};
ShareClient share = new(storageConnStr, fileShareName);
var sasResponse = share.GenerateSasUri(sasBuilder);
Upvotes: 0
Reputation: 3596
The tricky part is to let your users create a sas token for the file share without granting them permissions on the whole storage account.
You can use a middle tier application that creates the SAS token and allow the users to use that app. An azure function with an HTTP trigger can be used for example. You grant the azure function access to the storage account using a Managed Service Identity and secure the access to the Azure function either with Active Directory or a function key, that you distribute to your users.
Upvotes: 2
Reputation: 1346
You can try with this approach:
A SAS token for access to a container, directory, or blob may be secured by using either Azure AD credentials or an account key. Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. When your application design requires shared access signatures, use Azure AD credentials to create a user delegation SAS for superior security.
Generate a User Delegation Key:
POST https://myaccount.blob.core.windows.net/?restype=service&comp=userdelegationkey
Upvotes: 0
Related Questions
- How to use SAS Token to connect to Azure BlobStorage from C#?
- Azure Storage Account generate SAS Token, not an SAS URI
- how to generate storage account SAS token through curl
- Azure SAS token AuthorizationResourceTypeMismatch
- Azure Storage SAS signature does not match, how can I generate SAS token?
- Connect to Azure Storage Account using only SAS token?
- Azure SAS Token issues
- How to generate Account SAS token for Azure Storage?
- Accessing the file stored in Azure file storage without SAS token
- Azure File Storage SAS token - error 403