Skip to main content

(Azure) Difference between Shared Access Signature and Shared Access Policy

By
In this post we will discuss about Shared Access Signature and Shared Access Policy, focusing on what are the different between them.

Let's start with Shared Access Signature (SAS). It provides delectated access to a specific Azure resource. We can specify the resources that we want to allow access, how long we allow access (start and end time) and what kind of operations can be done.
The SAS key is like a token, that can be used by a 3rd party to access a specific resource. In general, the SAS key is included in the URL that is used to access the resource.
A SAS token can be generated very easily and will be available until the expiration time. What happens when we realize that the token is in hands of an unauthorized person or system. Unfortunately we cannot revoce the token. What we can do in this case is to revoke all the SAS tokens that were created with a specific account key. By regenerating the primary account key of a Azure Storage for example we will invalidate all the SAS tokens that were generated with that specific account key.

Shared Access Policy (SAP) define a specific policy rule that can be used to generate SAS keys. All the access constrains that are define by a SAP will be inherit by the SAS key (resource, expiration time, start time and permissions).

 In this way we can define a specific SAP that allow us read only access to a file and generate multiple SAS keys for different clients, based on that SAP. If we need to revoke the SAS key, we can remove the SAP with the given name and generate a new one (with a new name). In this way all SAS key that were generated for that SAP will be invalid.

 When you are using SAP you are allowed to change the access tuple (expiration time, permission and so on). This can be done directly to SAP. But when we are using SAS, we are not allowed to edit the SAS key. The only thing that we can do is to revoke it (change the account key).

SAS and SAP Comparison
- -SAS-
-SAP-
Can be revoked separately
No
Yes
Can be changed
No
Yes
Number of keys per resource is limited
No
Yes, but we can generate for a SAP as many SAS we need
When generated, triggers an HTTP/S request to Azure
No
Yes

In conclusion, we can say that Shared Access Signature and Shared Access Policy are very similar, but in the same time there are some attributes that are specific to SAS or SAP. Based on our needs we can decided to use one or another.


Labels:

Comments

Post a Comment

Popular posts from this blog

How to audit an Azure Cosmos DB

By
In this post, we will talk about how we can audit an Azure Cosmos DB database. Before jumping into the problem let us define the business requirement: As an Administrator I want to be able to audit all changes that were done to specific collection inside my Azure Cosmos DB. The requirement is simple, but can be a little tricky to implement fully. First of all when you are using Azure Cosmos DB or any other storage solution there are 99% odds that you’ll have more than one system that writes data to it. This means that you have or not have control on the systems that are doing any create/update/delete operations. Solution 1: Diagnostic Logs Cosmos DB allows us activate diagnostics logs and stream the output a storage account for achieving to other systems like Event Hub or Log Analytics. This would allow us to have information related to who, when, what, response code and how the access operation to our Cosmos DB was done. Beside this there is a field that specifies what was th...
Post a Comment
Read more

Why Database Modernization Matters for AI

By
  When companies transition to the cloud, they typically begin with applications and virtual machines, which is often the easier part of the process. The actual complexity arises later when databases are moved. To save time and effort, cloud adoption is more of a cloud migration in an IaaS manner, fulfilling current, but not future needs. Even organisations that are already in the cloud find that their databases, although “migrated,” are not genuinely modernised. This disparity becomes particularly evident when they begin to explore AI technologies. Understanding Modernisation Beyond Migration Database modernisation is distinct from merely relocating an outdated database to Azure. It's about making your data layer ready for future needs, like automation, real-time analytics, and AI capabilities. AI needs high throughput, which can be achieved using native DB cloud capabilities. When your database runs in a traditional setup (even hosted in the cloud), in that case, you will enc...
Post a Comment
Read more

AI ROI without hype: a practical way to measure value using risk adjustment + Azure Copilot example

By
Most people know what ROI means, but it’s harder to calculate for AI projects. The numbers are less predictable than with traditional platforms because many AI projects never reach stable production. IDC says only about 44% of custom AI apps and 53% of third-party AI apps make it from proof of concept to production. That’s why it’s important to look at ROI through a risk lens, not just cost versus benefit. One useful approach is to use a risk-adjusted formula: AI ROI = (AI Business Value Income / (Initial Investment + Annual Costs)) × Success Probability where, >AI Business Value Income (over N years) Consider a 2 to 3 year period and include both direct and indirect value: Direct: time saved, fewer tickets, higher conversion, lower fraud. Indirect: improved customer or employee experience and quicker decisions. For these, use measurable stand-ins like CSAT, churn, time to resolution, or hours saved, and estimate conservatively. >Initial Investment This covers more than just buil...
Post a Comment
Read more