Azure Storage Account – Access Security
There are 3 ways we can provide access to the Azure Storage account :-
- Access Keys
- Account Shared Access Signatures (SAS)
- Service Shared Access Signatures (SAS)
Storage Account access Keys are automatically generated
during the creation of any Storage account. In any SA we have two 512-bit
storage account access keys, Key 1 and Key 2. Both the Keys provide you full
and complete access to the SA.
Your storage account access keys are like a root password
for your storage account.
Always be careful to protect your access keys. Use Azure Key
Vault to manage and rotate your keys securely. Microsoft recommends that you
regularly rotate and regenerate your access keys. You can rotate the keys
without interruption to your applications.
Access Key can be regenerated or rotate as mentioned above: -
·
Regeneration an Access Key creates brand new
key and old one is disable immediately.
·
We have 2 keys so that we can regenerate one at
a time without interrupting the services by ensuring there is always at least
one valid key.
** For single administrator it may be ok providing access via
access key but in an organization, you
should only provide access for what one needs not more than that, follow least
privilege principle always and use SAS for that. **
Watch the Demo here
Watch the Demo here
To granularize the Access on storage account we have SAS
which are: -
·
Account SAS – can provide you access to one or
more resources within a SA.
·
Service SAS – can provide access in just one of
the storage services (blob, file, queue, table)
Some important Note on SAS :=
-
An SAS is a URI which can provide access to
resources.
-
SAS can include start and expiry times,
Permissions, IP and protocol restrictions.
-
SAS URI contains a signature constructed from
SAS parameters to provide authorization.
Y You need to click on Shared access signature under settings and choose the below settings as per your need as shown in the snippet.
No comments:
Post a Comment