Skip to main content

(Azure) Difference between Shared Access Signature and Shared Access Policy

In this post we will discuss about Shared Access Signature and Shared Access Policy, focusing on what are the different between them.

Let's start with Shared Access Signature (SAS). It provides delectated access to a specific Azure resource. We can specify the resources that we want to allow access, how long we allow access (start and end time) and what kind of operations can be done.
The SAS key is like a token, that can be used by a 3rd party to access a specific resource. In general, the SAS key is included in the URL that is used to access the resource.
A SAS token can be generated very easily and will be available until the expiration time. What happens when we realize that the token is in hands of an unauthorized person or system. Unfortunately we cannot revoce the token. What we can do in this case is to revoke all the SAS tokens that were created with a specific account key. By regenerating the primary account key of a Azure Storage for example we will invalidate all the SAS tokens that were generated with that specific account key.

Shared Access Policy (SAP) define a specific policy rule that can be used to generate SAS keys. All the access constrains that are define by a SAP will be inherit by the SAS key (resource, expiration time, start time and permissions).

In this way we can define a specific SAP that allow us read only access to a file and generate multiple SAS keys for different clients, based on that SAP. If we need to revoke the SAS key, we can remove the SAP with the given name and generate a new one (with a new name). In this way all SAS key that were generated for that SAP will be invalid.

When you are using SAP you are allowed to change the access tuple (expiration time, permission and so on). This can be done directly to SAP. But when we are using SAS, we are not allowed to edit the SAS key. The only thing that we can do is to revoke it (change the account key).

SAS and SAP Comparison
- -SAS-
Can be revoked separately
Can be changed
Number of keys per resource is limited
Yes, but we can generate for a SAP as many SAS we need
When generated, triggers an HTTP/S request to Azure

In conclusion, we can say that Shared Access Signature and Shared Access Policy are very similar, but in the same time there are some attributes that are specific to SAS or SAP. Based on our needs we can decided to use one or another.


Popular posts from this blog

How to check in AngularJS if a service was register or not

There are cases when you need to check in a service or a controller was register in AngularJS.
For example a valid use case is when you have the same implementation running on multiple application. In this case, you may want to intercept the HTTP provider and add a custom step there. This step don’t needs to run on all the application, only in the one where the service exist and register.
A solution for this case would be to have a flag in the configuration that specify this. In the core you would have an IF that would check the value of this flag.
Another solution is to check if a specific service was register in AngularJS or not. If the service was register that you would execute your own logic.
To check if a service was register or not in AngularJS container you need to call the ‘has’ method of ‘inhector’. It will return TRUE if the service was register.
if ($injector.has('httpInterceptorService')) { $httpProvider.interceptors.push('httpInterceptorService&#…

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine:
threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration:

TeamCity.NET 4.51EF 6.0.2VS2013
It seems that there …

Entity Framework (EF) TransactionScope vs Database.BeginTransaction

In today blog post we will talk a little about a new feature that is available on EF6+ related to Transactions.
Until now, when we had to use transaction we used ‘TransactionScope’. It works great and I would say that is something that is now in our blood.
using (var scope = new TransactionScope(TransactionScopeOption.Required)) { using (SqlConnection conn = new SqlConnection("...")) { conn.Open(); SqlCommand sqlCommand = new SqlCommand(); sqlCommand.Connection = conn; sqlCommand.CommandText = ... sqlCommand.ExecuteNonQuery(); ... } scope.Complete(); } Starting with EF6.0 we have a new way to work with transactions. The new approach is based on Database.BeginTransaction(), Database.Rollback(), Database.Commit(). Yes, no more TransactionScope.
In the followi…