0
0
Azurecloud~5 mins

Storage access keys and SAS tokens in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Storage access keys and SAS tokens control who can access your Azure storage and what they can do. Access keys give full control, while SAS tokens allow limited, time-bound access to specific resources.
When you want to give an application full access to your storage account for management tasks.
When you need to share a file or container with someone temporarily without exposing your full storage account.
When you want to restrict access to only read or write operations on a specific blob or file.
When you want to limit access to storage resources by time and permissions for security.
When you want to rotate keys regularly to keep your storage account secure.
Commands
This command lists the access keys for the specified storage account. Access keys provide full control over the storage account.
Terminal
az storage account keys list --account-name mystorageaccount --resource-group myresourcegroup
Expected OutputExpected
[ { "keyName": "key1", "permissions": "FULL", "value": "abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yzab5678cdef9012" }, { "keyName": "key2", "permissions": "FULL", "value": "1234abcd5678efgh9012ijkl3456mnop7890qrst1234uvwx5678yzab9012cdef" } ]
--account-name - Specifies the name of the storage account.
--resource-group - Specifies the resource group of the storage account.
This command generates a SAS token for the container 'mycontainer' with read, write, and list permissions that expires at the end of 2024. The token only works over HTTPS for security.
Terminal
az storage container generate-sas --account-name mystorageaccount --name mycontainer --permissions rwl --expiry 2024-12-31T23:59:00Z --https-only
Expected OutputExpected
sv=2023-01-01&ss=b&srt=sco&sp=rwl&se=2024-12-31T23%3A59%3A00Z&spr=https&sig=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890
--permissions - Sets allowed actions: r=read, w=write, l=list.
--expiry - Sets when the SAS token expires.
--https-only - Restricts access to HTTPS requests only.
This command uploads a file named example.txt to the container using the SAS token for authentication, demonstrating how to use SAS tokens for limited access.
Terminal
az storage blob upload --account-name mystorageaccount --container-name mycontainer --name example.txt --file ./example.txt --sas-token "sv=2023-01-01&ss=b&srt=sco&sp=rwl&se=2024-12-31T23%3A59%3A00Z&spr=https&sig=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"
Expected OutputExpected
Uploading ./example.txt to blob example.txt Upload succeeded
--sas-token - Uses the SAS token for authentication instead of access keys.
This command regenerates the primary access key for the storage account to improve security by rotating keys.
Terminal
az storage account keys renew --account-name mystorageaccount --resource-group myresourcegroup --key primary
Expected OutputExpected
No output (command runs silently)
--key - Specifies which key to regenerate: primary or secondary.
Key Concept

If you remember nothing else from this pattern, remember: access keys give full control, but SAS tokens let you share limited, time-bound access safely.

Common Mistakes
Using access keys in client apps or sharing them publicly.
Access keys provide full control and exposing them risks your entire storage account.
Use SAS tokens to grant limited, temporary access instead of sharing access keys.
Generating SAS tokens without setting an expiry time.
Tokens without expiry can be used forever, increasing security risks.
Always set a reasonable expiry time when creating SAS tokens.
Not restricting SAS tokens to HTTPS only.
Without HTTPS restriction, tokens can be intercepted over insecure connections.
Use the --https-only flag to ensure tokens work only over secure connections.
Summary
List storage account access keys to see full control credentials.
Generate SAS tokens to share limited, time-bound access to storage resources.
Use SAS tokens for operations like uploading blobs without exposing full access keys.
Rotate access keys regularly to keep storage account secure.