Limit Access to Azure Storage Account Using SAS URI

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

In this lab, you will have an opportunity to create a SAS token for access to an Azure Storage account and then test the SAS-based access by working with the storage account from a separate environment. Students with at least some Azure experience will have the best opportunity to complete the lab without assistance, but the lab guide and solution videos provide a full walkthrough if you get stuck.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Prepare Testing Environment

At the beginning of this objective, you should be logged in to the Azure portal and on the overview page for the resource group provisioned with the lab environment.

In this objective, you will prepare your testing environment by installing Azure Storage Explorer on a VM and uploading a couple of files to an Azure Storage account.

  1. Select the VM provisioned in the resource group, and connect to it using RDP. You can ignore any warnings about port prerequisites or security certificates when connecting.
  2. Use the Microsoft Edge browser to download and install Azure Storage Explorer. A link to a site to download this product is in the Additional Information and Resources section of the lab.
  3. Once Azure Storage Explorer is installed, choose Attach to a resource, and select to connect to a storage account, using a shared access signature URL (SAS). Do not use a connection string.
  4. Leave the Connection Info dialog open and minimize the VM window, but do not log out of the VM.
  5. Prepare two small text files locally to upload to Blob storage.
  6. Return to the resource group overview page in the portal, and navigate to the storage account with the name that starts with pslab, followed by a few random characters.
  7. Create a new container in the storage account, and upload the two files you prepared.
Create and Test a SAS Token

In this objective, you will enable the storage account to allow the use of SAS tokens, generate a token, and use the SAS URL in Azure Storage Explorer (in the VM) to connect to the storage account and test the permissions expressed in the SAS token.

  1. Go to Configuration on the storage account and enable the use of SAS tokens.

    Hint: You need to allow access to the account using keys in order to make use of SAS tokens.

  2. Create a shared access signature on the storage account with the following properties:

    • Only blob for allowed services.
    • Allow all three resource types.
    • Enable only read and list permissions.
    • Ensure the only allowed protocol is HTTPS.
    • Leave all other properties not mentioned as their defaults.
  3. Use the Blob service SAS URL to connect to the storage account from Azure Storage Explorer on the VM, and check that you can navigate to the container you created and the blobs you uploaded.

  4. Test to ensure that only read and list operations are allowed. For example, you should not be able to add a new blob or delete an existing one.

Additional Resources

Your company has hired a contractor, who needs access to containers and blobs in an Azure Storage account in order to perform their duties. They will need access to the storage account for a limited period of time, in which they should only be able to read individual blobs and retrieve lists of both containers and blobs. It's important that they don't have the ability to add, create, or delete data in the storage account. The tool they will use to access the data is Azure Storage Explorer, which can be downloaded and installed locally via the product's web page.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?