azureazure-blob-storageaccess-keysshared-access-signatures

Different between access key and Shared Access Signature


Could you please provide the difference between SAS and Access Key and when to use them?

Thank you for your help.


Solution

  • Say you have a website that allows users to upload files. You could create an api that takes the file and put in on a storage account or you can allow the client to upload the file directly to the storage account. In order to do that the api generates and returns a SAS token that allows write access for a short period of time to the storage account. This way the api doesn't need bandwith to cater for large file uploads and the access to the storage account is based on the principle of least privilege

    Another scenario is to facilitate the download of a file for a limited amount of time. For example, an expense report is generated and available for download. The api generates a url to the storage account including a SAS token that gives read permission to a certain blob for a short period of time.

    The use of Access Keys should be avoided, use managed identities so there is no need for access keys that have to be put in the configuration somehow and needs to be protected.

    By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.

    Now, if you have an api or azure function or whatever backend process that needs access to a storage account you can use a managed identity and assign that identity permissions based on the principle of least privilege.