Implement User Auth

Question 1

What is a Shared Access Signature (SAS)?

Answer 1

• Signed URI that points to one or more storage resources and includes a token that contained a special set of query params

Question 2

What does a SAS contain (high-level)?

Answer 2

• Token indicates how the resources might be accessed by the client
• One of the params, signature, is constructed from SAS parameters and signed with the key that was used to create SAS
• used to auth access to storage resource

Question 3

What is user delegation SAS?

Answer 3

• Secured with MS Entra credentials and also by the perms specified for the SAS
• Entra credentials are recommended approach by MS over the storage account key (service + account SAS)
• Applies to blob storage only

Question 4

What is a service SAS?

Answer 4

• Secured with storage account key
• Delegates access to a resource in blob, queue or table storage and azure files

Question 5

What is an Account SAS?

Answer 5

• Secured with storage account key
• Delegates access to resources in one or more storage service

Question 6

What is required to access data stored in AZ storage with SAS?

Answer 6

• URI to the resource you want to access
• SAS token that youve created to auth access
• e.g. https://<storageAccountName>.blob.core.windows.net/<blobcontainername>/<blobname>?<SASToken></SASToken></blobname></blobcontainername></storageAccountName>

Question 7

What does a SAS token contain?

Answer 7

• Sp = Values can be ‘a’ for add, ‘c’ for create, ‘d’ for delete, ‘l’ for list, ‘r’ for read, ‘w’ for write. Can grant multiple
• St = date and time when access starts
• Se = date and time when access ends
• Sv = versions of storage API
• Sr = kind of storage being accessed (sr=b for blob)
• Sig = cryptographic signature

Question 8

What are the MS guidlines to reduce risks associated with SAS?

Answer 8

• Securely distribute a SAS and prevent man-in-middle attacks by using HTTPs
• Use user delegation SAS
• set expiration time to smallest useful value
• Rule of min require privileges

Question 9

When might SAS be used?

Answer 9

• to provide secure access to resources in storage account to any client who doesn’t otherwise have perms to access those resources

Question 10

What is the front-end proxy service design pattern for SAS?

Answer 10

• End user <-> Front End Proxy <-> Azure Storage
• performs authentication
• has pro of allowing validation of business rules
• not good for large amounts of data or high volume transactions as it may be expensive to create service that can scale to match demand

Question 11

What is the lightweight provider service design pattern for SAS?

Answer 11

• First request: End user <-> provider service azure storage
• Subsequent requests: End user <-> Azure storage (provider service generates and gives SAS token to end user)
• lightweight service auths the client as needed and gives it the token
• client uses token to access storage account directly

Question 12

How is a SAS used in a copy operations?

Answer 12

• Required to authorise access to the source object
• when you copy a blob to another blob that resides in a different storage account you must use SAS to authorize access to source blob
• the same applies to copying file to another file

Question 13

What is a Stored Access Policy (SAP)?

Answer 13

• Provides extra level of control over service-level SAS on the server side
• groups SAS and provides more restrictions for signatures that bound by the policy
• can use SAP to change start time, expiry time, or perms for a signature or to revoke it after issue
• Supported by blobs, files queues and tables

Question 14

What does a SAP consist of?

Answer 14

• Start and expiry time as well as perms for signature
• can store all of these params on the signature URI and none within the SAP, al on the SAP and none on the URI or a combinations of the two
• cant specifiy a given param on both at the same time

Question 15

How is SAP created?

Answer 15

• Created and modified by the Set ACL operation for the resource (set container acl, set queue acl etc) with a request body the specifies the terms of the SAP
• body of the request includes a unique signed ID of your choosing, up to 64 chars and operational params of policy
• takes 30 seconds to take effect

Question 16

How would we modify a SAP?

Answer 16

• Call the access control list operation (ACL) for the resource type to replace the existing policy
• e.g. change existing policy from granting read and write perms to a resource to just grant read only perms for future requests

Question 17

How would we revoke a SAP?

Answer 17

• Delete it
• Rename it by changing the signed ID
• Change expiry time to valye in the past
• To remove a single SAP call the resources set ACL operation passing in the set of signed IDs that you wish to maintain on the container
• To remove all SAPs from the resource call the same operation with an empty request body