A Storage Account in Azure has two account keys which can be used to access the Storage Account. These keys give complete permission to the Storage Account so it is very important to keep these keys private.
Another way to assign permissions to a Storage Account is to use Shared Access Signatures (SAS). SAS is a powerful way to grant limited access to a storage account to other clients, without having to expose your account key.
It is also possible to configure specific options for a SAS to, for example:
- Expiry Time
- IP addresses
- Start Time
- Protocol (HttpsOnly or HttpsOrHttp)
To generate SAS keys, access to the Azure PowerShell modules (http://aka.ms/webpi-azps) is required. When ready, the following PowerShell command can be used to generate a SAS key. It uses the following options:
- The permission is rdwl (read, delete, write, list).
- Access is granted on Services, Containers and Objects.
- Only clients connecting from the IP addresses 220.127.116.11-18.104.22.168 can connect.
- The service is set to Blob (options are Blob, File, Queue, Table).
- The expiry time is long because by default it is a few hours before the key becomes invalid.
-StorageAccountName mystorageaccountname `
-ResourceGroupName myresourcegroup | `
-Permission rwdl `
-ResourceType Service,Container,Object `
-Service blob `
-IPAddressOrRange 22.214.171.124-126.96.36.199 `
The output is a SAS key, like this:
This key can be given to a client to use it.
For example, to upload a file you can use this SAS key in combination with AzCopy (the tool from Microsoft to copy files to a Storage Account).
- Download AzCopy from here.
- Open a Command Prompt and run the command:
“C:\Program Files\Microsoft SDKs\Azure\AzCopy\AzCopy.exe” /source:C:\Fol\ /dest:https://<storageaccount>.blob.core.windows.net/<container> /destsas:”?sv=2015-04-05&sig=9mS7XDJU%2Fajbq4D0gCDqb8NJsc7ztbu%2
This Command Line will upload the files in the folder C:\Fol to an Azure Storage Account Container using the SAS key.