When working with Azure storage, the keys operate like route passwords to your storage. Because of this, they should never be stored in plain text, distributed to users or embedded in applications. In short, don’t give out your account keys, use Shared Access Signatures instead.
Here at Pragmatic Works we’ve been using Shared Access Signatures recently in two scenarios: for backup and restore operations with SQL Managed Instances and for managing storage accounts to Azure Databricks. Here are 3 things to know about SAS:
1. Share Access Signatures are not stored in a recoverable way with your storage account. A bit of a shocking experience for most. Once you generate the signature, you should copy it to a desired location or to an intermediate space such as a Notepad.
When you close the window where you’ve created the signature, you’ll have to recreate it if you need it again. Microsoft does not store this signature anywhere within the platform, so it’s not recoverable from that perspective. You’ll need a copy of the various keys and connection strings if you plan to use that for more than one application.
2. Share Access Signatures protect your account keys. If an SAS is exposed, you can terminate it without impacting other signatures or other account keys. However, if your account key were to be compromised, all Shared Access Signatures and other applications using that account key will need to be reset. A key reason why we recommend using SAS.
3. Shared Access Signatures provide granular control to your storage. Access keys give you full rights to everything in your storage account, but with SAS you’re able to limit the access capabilities of its users. You can limit capabilities such as read, write or update or to containers, plus you can timebox when the signature is valid for. This allows for temporary access to your storage account and easily managing different levels of access to folks within or outside of your organization.
On last important thing to tell you is that Microsoft has Azure Active Directory Access coming for storage. As of this writing, this is in preview, but it will likely be the preferred choice for individual access in the future. If you begin working with Share Access Signatures, you’ll have the opportunity to switch to Azure Active Directory to secure access to your storage for internal users when this is generally available.
If you have questions about securing access to Azure storage with Share Access Signatures or anything Azure related, we are the people to talk to. Click the link below or contact us—we’re here to help where ever you are on your Azure journey.