In this post we will discuss about Shared Access Signature and Shared Access Policy, focusing on what are the different between them.
Let's start with Shared Access Signature (SAS). It provides delectated access to a specific Azure resource. We can specify the resources that we want to allow access, how long we allow access (start and end time) and what kind of operations can be done.
The SAS key is like a token, that can be used by a 3rd party to access a specific resource. In general, the SAS key is included in the URL that is used to access the resource.
A SAS token can be generated very easily and will be available until the expiration time. What happens when we realize that the token is in hands of an unauthorized person or system. Unfortunately we cannot revoce the token. What we can do in this case is to revoke all the SAS tokens that were created with a specific account key. By regenerating the primary account key of a Azure Storage for example we will invalidate all the SAS tokens that were generated with that specific account key.
Shared Access Policy (SAP) define a specific policy rule that can be used to generate SAS keys. All the access constrains that are define by a SAP will be inherit by the SAS key (resource, expiration time, start time and permissions).
In this way we can define a specific SAP that allow us read only access to a file and generate multiple SAS keys for different clients, based on that SAP. If we need to revoke the SAS key, we can remove the SAP with the given name and generate a new one (with a new name). In this way all SAS key that were generated for that SAP will be invalid.
When you are using SAP you are allowed to change the access tuple (expiration time, permission and so on). This can be done directly to SAP. But when we are using SAS, we are not allowed to edit the SAS key. The only thing that we can do is to revoke it (change the account key).
SAS and SAP Comparison
In conclusion, we can say that Shared Access Signature and Shared Access Policy are very similar, but in the same time there are some attributes that are specific to SAS or SAP. Based on our needs we can decided to use one or another.
Let's start with Shared Access Signature (SAS). It provides delectated access to a specific Azure resource. We can specify the resources that we want to allow access, how long we allow access (start and end time) and what kind of operations can be done.
The SAS key is like a token, that can be used by a 3rd party to access a specific resource. In general, the SAS key is included in the URL that is used to access the resource.
A SAS token can be generated very easily and will be available until the expiration time. What happens when we realize that the token is in hands of an unauthorized person or system. Unfortunately we cannot revoce the token. What we can do in this case is to revoke all the SAS tokens that were created with a specific account key. By regenerating the primary account key of a Azure Storage for example we will invalidate all the SAS tokens that were generated with that specific account key.
Shared Access Policy (SAP) define a specific policy rule that can be used to generate SAS keys. All the access constrains that are define by a SAP will be inherit by the SAS key (resource, expiration time, start time and permissions).
In this way we can define a specific SAP that allow us read only access to a file and generate multiple SAS keys for different clients, based on that SAP. If we need to revoke the SAS key, we can remove the SAP with the given name and generate a new one (with a new name). In this way all SAS key that were generated for that SAP will be invalid.
When you are using SAP you are allowed to change the access tuple (expiration time, permission and so on). This can be done directly to SAP. But when we are using SAS, we are not allowed to edit the SAS key. The only thing that we can do is to revoke it (change the account key).
SAS and SAP Comparison
| - | -SAS- |
-SAP-
|
| Can be revoked separately |
No
|
Yes
|
| Can be changed |
No
|
Yes
|
| Number of keys per resource is limited |
No
|
Yes, but we can generate for a SAP as many SAS we need
|
| When generated, triggers an HTTP/S request to Azure |
No
|
Yes
|
In conclusion, we can say that Shared Access Signature and Shared Access Policy are very similar, but in the same time there are some attributes that are specific to SAS or SAP. Based on our needs we can decided to use one or another.
Comments
Post a Comment