By using a user delegation SAS, we can help to improve the security of access to an Azure Blob storage container. Unlike a normal shared access signature (SAS), a user delegation SAS is associated with an Azure Active Directory (AAD) identity. A user delegation SAS is a service SAS that only supports Blob storage. In this lab, you will create a user delegation SAS using Azure CLI. We’ll then be able to use this user delegation SAS to access a blob. After completing this lab, you’ll understand how to create and revoke a user delegation SAS using Azure CLI.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Upload a File to Blob Storage
Use the Azure Portal to upload a file to Blob storage.
We will use this file (blob object) later, in order to that the User Delegation SAS we create works as expected.
- Navigate to the Storage Accounts section.
- Open Storage Accounts from the sidebar, and navigate into the storage account already created for you.
- Click on Containers in the storage account working pane.
- Open the container named
container1
. - Click Upload in the command bar.
- Select a small file from your computer. Please ensure the file is NOT confidential.
- Click Upload.
- Create a User Delegation SAS
- Use Azure Cloud Shell to create a Bash shell.
- Subscription: Default
- Cloud Shell region:
same as your lab provided storage account
- Resource group: Use existing
- Storage account: Use existing
- File share: Create new and enter in
cloudshell
.
Once in the shell, enter the following to create a user delegation SAS:
az storage blob generate-sas --account-name <TAB> --container-name container1 --name <FILENAME> --permissions acdrw --expiry <DATE> --auth-mode login --as-user --full-uri
<TAB>
is the Tab key to automatically populate the storage account name.<FILENAME>
is the name of the file you uploaded earlier.<DATE>
should be a date no more than 7 days from now (YYY-MM-DD).
Note: The command above will generate a full URI to access the file you uploaded to blob storage. You may click on this within Cloud Shell to open a new window and view the file.
- Use Azure Cloud Shell to create a Bash shell.
- Revoke a User Delegation SAS
Still in Cloud Shell, enter the following to revoke all user delegation keys associated with the storage account:
az storage account revoke-delegation-keys --name <TAB> --resource-group <TAB>
<TAB>
is the Tab key to automatically populate the storage account name, and then resource group name.Note: To verify that the user delegation SAS no longer works, you may need to wait up to 5 minutes and then try using the link generated earlier. It should no longer work, and you will see an "AuthenticationFailed" message.