2.5 Storage Account Access Keys and Shared Access Signatures

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

18 hours 58 minutes
Video Transcription
Welcome back. In this episode, we're gonna dive into another azure storage account topic covering access keys and shared access signatures.
Our objectives this time are just two understand access keys and then understand shared excess signatures. We're gonna take a look at a couple of concepts and our slides here and then jump back into our azure portal to look at another demo.
As we've already looked at azure storage accounts provide access over http or https.
And each time a client makes a request, it has to be authorized through some a mechanism to make sure that the request is valid.
We have a couple of different ways to do this as mission. Previously, there's azure, active directory or anonymous public read access. But what we're gonna focus on this time is the shared key and shared access signatures.
So it is a shared key. Shared keys can be used on blobs, files, cues and tables inside the storage account.
Each storage account comes with two keys that are used in the authorization header in an https request.
For example, if you have developers that are using data in a storage account, you give them a shared key or connection string to use with their application
applications running in Azure can also use the connection string and Azure service configuration scheme of files.
Storing these connections strings with the shared key make it easy to manage and to update application. If one of the keys has changed in this screen shot, we have an example of one string listed on the storage account, and we'll see this again in our demo
Now. Shared access signatures often abbreviated as S A s is a your eye that provides access to azure storage account. Resource is this shared access. Signature is given to clients who don't need the shared key to the storage account, but you still want to provide them access to the resource.
This signature can provide granular control to the resource such as read, write the lead or add,
and it can even be time base of that. Your eye is eventually no longer valid.
The shared access signature can delegate access to different azure storage. Account service is like blobs, files, cues and tables
here have an example of a shared access signature. Now I know it looks a little bit complicated, but let's take a more detailed look at some of its components.
Now here's that same shared access signature. So let's break down each part of the U. R I and talk about what each one means.
First, the top line is the storage service euro. This probably looks familiar from our last episode when we created a container in our blob service. This is the name of the storage account and the blob service inside of it.
Next is the signed version, which is just a version of the storage service. To use
S s is signed service's or which storage service in the storage account to use here be means blob. But we could also include queue for Q service's tea for table and F for file
signed resource type specifies the resource type that is accessible in the account. Shared access Signature s is for service level. AP eyes sees for container level AP Eyes and O is for object level AP eyes. These could be combined to multiple values. Sign permissions is the permissions that are allowed in the your eye
in this example are in w stand for read and write.
But we could have also included D for delete l for list or a fur ad.
The sign expiry is for when the access signature becomes invalid. And along with that, the signs start is when the access signature becomes valid. This is an optional parameter, and if it is not specified, the start time is to be assumed when the service receives the request.
The started in times must be written as UTC time and I s 0 86 So one format,
the sign protocol specifies that permitted protocol that could be used in the request. Here we have https, but http could also be included as well. However, Http on Lee is not a valid option.
Finally, we have the signature and this is the part of the your eye that is used. Authorized the request in the shared access signature. Now that we have understanding of what shared keys and shared access signatures are, let's jump back over to our azure portal and see what they look like in there. Here we are back in the overview of our storage account.
And if we go to settings and access keys,
we can view our two sets of keys and connection strings for this storage account. You could give key one to your developers to use further applications, but maybe on down the line you want to switch to a different key.
You can give them key to to replace key one in their configuration files before you regenerate Ki won. This allows uninterested access to the storage account. If you need to regenerate a key for your storage account, just click the double arrow. Here
you'll be prompted to say Once this is regenerated, the old one will be invalid and not recoverable. And anything using that access key will lose access
we click on Yes,
the key is successfully regenerated.
Now let's go look at shared access Signature also available under settings.
Here we have a little form where we can use to create the different aspects of the your eye that we looked at before on the slides.
First, we have allowed service's and we see each of our accounts. Storage service is there, like blob file Q and Table.
We also have the allowed resource types and are allowed permissions. And as you can see, there's a couple more there that we didn't mention. The slides like create update and process
next we have our start and end times for the euro. It doesn't have to be right now. You could set it for future time, period, and also set the time zone
and an additional option. We didn't mention the slides are allowed I p addresses. So you could really lock down where access is coming from. For that you are I. Next we have our allowed protocols, including https in http just note that you can't use on Lee http. That's not an option.
And finally, you have the signing key that you want to use, which should look familiar. That's one of the access keys we just looked at.
If you wanted to use access key to, you can click that in the drop down menu.
Finally, let's go ahead and generate our shared access, signature and connection strings.
We have our connection string our shared access token as well as individual. Your l's for each of our service is that we specified above, such as blob file Q and Table
that does it for this demo. Let's jump back over to our slides to wrap this up that does it for our demo, where we view and generated shared keys and also generated shared access keys
that does it for this episode. And that's a wrap on talking about storage accounts coming up. Next, we're gonna have an introduction to virtual networking in Azure. See you in the next video.
Up Next