DEV Community


Posted on

Azure Storage - Creating Shared Access Signature Tokens with Stored Access Policy

Creating Shared Access Signature (SAS) Tokens is easy to do, safer (than giving access keys) and useful for short-term access to your Azure Storage. However, one of the downsides is that there is no way to revoke access to any of these tokens once they are created.

The better practice is to create SAS Tokens with Stored Access Policy. Stored Access Policy allows for visibility on what/when are being shared & for how long, plus the ability to revoke tokens when required.

There are a couple of ways to create SAS Tokens with Shared Access Policy, i.e. via UI, PowerShell, Azure CLI and .NET but I will cover the most straightforward ones only, i.e. via UI.

Naturally, the main UI we will use will be the Azure Portal. Unfortunately, this option cannot work for Azure File Storage.

Blob Storage

For Blob Storage, notice there is the option to select Stored Access Policy when generating the token.

Blob SAS Token

File Storage

Things are relatively different for Azure File Storage.
Firstly, there no way to create SAS Tokens for Azure File Storage in the File Share window.

File Share

The only way to create SAS Tokens for Azure File Storage in the portal will be to go back out to the "Shared Access Signature" menu item under Security + networking, here you can see it allows creating SAS tokens for Azure File, but there is no option to select the Shared Access Policy.

File service

I honestly have no idea why they have chosen not to implement this for Azure File Storage in the Azure Portal. Even more confusing is that this is not mentioned explicitly in the official docs as far as I know. It will make one wonder if Shared Access Policies are not supported for Azure File Storage, however that is not the case!

The only option to do so via the UI will be using the Azure Storage Explorer.

Get SAS Token Menu item

Access Token option

Top comments (0)