In this lab, you will have an opportunity to create a SAS token for access to an Azure Storage account and then test the SAS-based access by working with the storage account from a separate environment. Students with at least some Azure experience will have the best opportunity to complete the lab without assistance, but the lab guide and solution videos provide a full walkthrough if you get stuck.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Prepare Testing Environment
At the beginning of this objective, you should be logged in to the Azure portal and on the overview page for the resource group provisioned with the lab environment.
In this objective, you will prepare your testing environment by installing Azure Storage Explorer on a VM and uploading a couple of files to an Azure Storage account.
- Select the VM provisioned in the resource group, and connect to it using RDP. You can ignore any warnings about port prerequisites or security certificates when connecting.
- Use the Microsoft Edge browser to download and install Azure Storage Explorer. A link to a site to download this product is in the Additional Information and Resources section of the lab.
- Once Azure Storage Explorer is installed, choose Attach to a resource, and select to connect to a storage account, using a shared access signature URL (SAS). Do not use a connection string.
- Leave the Connection Info dialog open and minimize the VM window, but do not log out of the VM.
- Prepare two small text files locally to upload to Blob storage.
- Return to the resource group overview page in the portal, and navigate to the storage account with the name that starts with pslab, followed by a few random characters.
- Create a new container in the storage account, and upload the two files you prepared.
- Create and Test a SAS Token
In this objective, you will enable the storage account to allow the use of SAS tokens, generate a token, and use the SAS URL in Azure Storage Explorer (in the VM) to connect to the storage account and test the permissions expressed in the SAS token.
Go to Configuration on the storage account and enable the use of SAS tokens.
Hint: You need to allow access to the account using keys in order to make use of SAS tokens.
Create a shared access signature on the storage account with the following properties:
- Only blob for allowed services.
- Allow all three resource types.
- Enable only read and list permissions.
- Ensure the only allowed protocol is HTTPS.
- Leave all other properties not mentioned as their defaults.
Use the Blob service SAS URL to connect to the storage account from Azure Storage Explorer on the VM, and check that you can navigate to the container you created and the blobs you uploaded.
Test to ensure that only read and list operations are allowed. For example, you should not be able to add a new blob or delete an existing one.