Skip to main content

(Azure) Difference between Shared Access Signature and Shared Access Policy

In this post we will discuss about Shared Access Signature and Shared Access Policy, focusing on what are the different between them.

Let's start with Shared Access Signature (SAS). It provides delectated access to a specific Azure resource. We can specify the resources that we want to allow access, how long we allow access (start and end time) and what kind of operations can be done.
The SAS key is like a token, that can be used by a 3rd party to access a specific resource. In general, the SAS key is included in the URL that is used to access the resource.
A SAS token can be generated very easily and will be available until the expiration time. What happens when we realize that the token is in hands of an unauthorized person or system. Unfortunately we cannot revoce the token. What we can do in this case is to revoke all the SAS tokens that were created with a specific account key. By regenerating the primary account key of a Azure Storage for example we will invalidate all the SAS tokens that were generated with that specific account key.

Shared Access Policy (SAP) define a specific policy rule that can be used to generate SAS keys. All the access constrains that are define by a SAP will be inherit by the SAS key (resource, expiration time, start time and permissions).

In this way we can define a specific SAP that allow us read only access to a file and generate multiple SAS keys for different clients, based on that SAP. If we need to revoke the SAS key, we can remove the SAP with the given name and generate a new one (with a new name). In this way all SAS key that were generated for that SAP will be invalid.

When you are using SAP you are allowed to change the access tuple (expiration time, permission and so on). This can be done directly to SAP. But when we are using SAS, we are not allowed to edit the SAS key. The only thing that we can do is to revoke it (change the account key).

SAS and SAP Comparison
- -SAS-
-SAP-
Can be revoked separately
No
Yes
Can be changed
No
Yes
Number of keys per resource is limited
No
Yes, but we can generate for a SAP as many SAS we need
When generated, triggers an HTTP/S request to Azure
No
Yes

In conclusion, we can say that Shared Access Signature and Shared Access Policy are very similar, but in the same time there are some attributes that are specific to SAS or SAP. Based on our needs we can decided to use one or another.


Comments

Popular posts from this blog

How to check in AngularJS if a service was register or not

There are cases when you need to check in a service or a controller was register in AngularJS.
For example a valid use case is when you have the same implementation running on multiple application. In this case, you may want to intercept the HTTP provider and add a custom step there. This step don’t needs to run on all the application, only in the one where the service exist and register.
A solution for this case would be to have a flag in the configuration that specify this. In the core you would have an IF that would check the value of this flag.
Another solution is to check if a specific service was register in AngularJS or not. If the service was register that you would execute your own logic.
To check if a service was register or not in AngularJS container you need to call the ‘has’ method of ‘inhector’. It will return TRUE if the service was register.
if ($injector.has('httpInterceptorService')) { $httpProvider.interceptors.push('httpInterceptorService&#…

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine:
threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration:

TeamCity.NET 4.51EF 6.0.2VS2013
It seems that there …

[Post-Event] Codecamp Conference Cluj-Napoca - Nov 19, 2016

Last day I was invited to another Codecamp Conference, that took place in Cluj-Napoca. Like other Codecamp Conferences, the event was very big, with more than 1.000 participants and 70 sessions. There were 10 tracks in parallel, so it was pretty hard to decide at  what session you want to join.
It was great to join this conference and I hope that you discovered something new during the conference.
At this event I talked about Azure IoT Hub and how we can use it to connect devices from the field. I had a lot of demos using Raspberry PI 3 and Simplelink SensorTag. Most of the samples were written in C++ and Node.JS and people were impressed that even if we are using Microsoft technologies, we are not limited to C# and .NET. World and Microsoft are changing so fast. Just looking and Azure IoT Hub and new features that were launched and I'm pressed (Jobs, Methods, Device Twin).
On backend my demos covered Stream Analytics, Event Hub, Azure Object Storage and DocumentDB.

Title:
What abo…