Create a User Delegation SAS using Azure CLI

1 hour
  • 3 Learning Objectives

About this Hands-on Lab

By using a user delegation SAS, we can help to improve the security of access to an Azure Blob storage container. Unlike a normal shared access signature (SAS), a user delegation SAS is associated with an Azure Active Directory (AAD) identity. A user delegation SAS is a service SAS that only supports Blob storage. In this lab, you will create a user delegation SAS using Azure CLI. We’ll then be able to use this user delegation SAS to access a blob. After completing this lab, you’ll understand how to create and revoke a user delegation SAS using Azure CLI.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Upload a File to Blob Storage

Use the Azure Portal to upload a file to Blob storage.

We will use this file (blob object) later, in order to that the User Delegation SAS we create works as expected.

  1. Navigate to the Storage Accounts section.
  2. Open Storage Accounts from the sidebar, and navigate into the storage account already created for you.
  3. Click on Containers in the storage account working pane.
  4. Open the container named container1.
  5. Click Upload in the command bar.
  6. Select a small file from your computer. Please ensure the file is NOT confidential.
  7. Click Upload.
Create a User Delegation SAS
  1. Use Azure Cloud Shell to create a Bash shell.
    • Subscription: Default
    • Cloud Shell region: same as your lab provided storage account
    • Resource group: Use existing
    • Storage account: Use existing
    • File share: Create new and enter in cloudshell.
  2. Once in the shell, enter the following to create a user delegation SAS:

    az storage blob generate-sas --account-name <TAB> 
      --container-name container1 
      --name <FILENAME> 
      --permissions acdrw 
      --expiry <DATE> 
      --auth-mode login 
    • <TAB> is the Tab key to automatically populate the storage account name.
    • <FILENAME> is the name of the file you uploaded earlier.
    • <DATE> should be a date no more than 7 days from now (YYY-MM-DD).

Note: The command above will generate a full URI to access the file you uploaded to blob storage. You may click on this within Cloud Shell to open a new window and view the file.

Revoke a User Delegation SAS

Still in Cloud Shell, enter the following to revoke all user delegation keys associated with the storage account:

az storage account revoke-delegation-keys --name <TAB> --resource-group <TAB>

<TAB> is the Tab key to automatically populate the storage account name, and then resource group name.

Note: To verify that the user delegation SAS no longer works, you may need to wait up to 5 minutes and then try using the link generated earlier. It should no longer work, and you will see an "AuthenticationFailed" message.

Additional Resources

You've recently been hired as a security engineer to work for The Pupper Camp (TPC). TPC is a dog services company with offices across the globe.

Your new manager has asked you to test the functionality of a user delegation SAS and demonstrate how to create and revoke access to a blob object.

This is part of a proof of concept for a secure solution that TPC is developing, which will be configured to use an Azure Active Directory (AAD) service principal.

See the Microsoft Documentation for more information on user delegation SAS properties.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?