Shulou(Shulou.com)06/02 Report--

From the previous article, I believe everyone knows that Shared Access Signature (SAS) is a mechanism to restrict access to Azure storage. This is one of the more secure ways to provide access to our storage accounts. Access the corresponding Azure storage account without accessing a key.

There are two common SAS types:

Service Level: Allow access to resources in only one of the following storage services: Blob, Queue, Table, and File Account Level: Allow access to resources in one or more storage services. All operations available through Service Level SAS are also available through Account Level SAS

Next, let's take a look at how to use SAS to explode Azure Storage security

I prepared a storage account named "sql12bak":

In the storage account, a container named "test" is prepared and some files used for the test are uploaded:

With the above preparations, we can return to the main page of the storage account and see the Shared access signature tab:

After clicking on Shared access signature, we can see that there are several types of settings:

Permitted services: We can choose which services we can offer to our users. Permitted permissions: We can choose which permissions to grant to users. Start and end: We can set availability periods. Allowed IP addresses: We can whitelist IP access to storage accounts. Allowed protocols: HTTPS only or http and https

In this example we will configure the following permissions:

Read, list: so that users can read and list files under the account, but can not delete, write, add goods to create resources to the storage account

Also we configure only HTTPS protocol access, and click Generate Connection String:

After generating SAS and connection strings, copy Blob Services SAS URL:

Open Microsoft Azure Storage Explorer and click Add Account:

In Connect to Azure Storage, select Use Shared Access Signature (SAS) URI and click Next:

Paste the copied URL. When you paste the URL, it automatically updates the other text boxes, and then click Next.

Confirm, click on the link:

Among the storage accounts we prepared, we can find the "test" container. Inside the container, we can see that there are several test files:

When I double-click test.txt I can read the file because we have previously granted read access:

But when I try to delete or upload a file, it prompts us that we don't have permission:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.