Introduction to Shared Access Signatures (SAS)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
22 hours 10 minutes
Difficulty
Intermediate
CEU/CPE
24
Video Transcription
00:00
>> Hey everybody and welcome back.
00:00
In this lecture we're going to
00:00
talk about something called
00:00
Shared Access Signatures and what they
00:00
mean for you when you're dealing with storage services.
00:00
We're going to be introducing what
00:00
shared access signatures are,
00:00
and then we're going to be comparing
00:00
the different types of
00:00
shared access signatures or SAS services,
00:00
or authentication
00:00
key type things that you're going to be using,
00:00
they are actually it's called tokens,
00:00
the SAS tokens that we're going to
00:00
be comparing in this lesson.
00:00
Let's go ahead and dive into it.
00:00
Introducing Shared Access Signatures, what is it,
00:00
what does it do, how is this different
00:00
from other authentication methods?
00:00
Essentially, you have account keys,
00:00
you have password and username.
00:00
This is another form of authentication.
00:00
This is a signature,
00:00
so it is a token that
00:00
you can share and it's actually something
00:00
that's really handy when you're trying
00:00
to work with third-party vendors that don't
00:00
necessarily have long-term rights
00:00
, they're not employees.
00:00
You don't want to necessarily
00:00
>> trust them explicitly with
00:00
>> all the resources or the typical things,
00:00
the standard things that you would trust
00:00
internal employees with.
00:00
You can you can restrict the access that maybe third
00:00
party individuals outside of
00:00
the organization or maybe even
00:00
outside of your departments.
00:00
You can entrust them with
00:00
only the necessary access that they need.
00:00
You can restrict it based of time.
00:00
You can restrict it based of of the scope of access.
00:00
Whether it just read or write.
00:00
Whether it's just one resource or multiple resources,
00:00
there's a lot you can do with it.
00:00
Some key features that you want to keep in mind is that
00:00
the string of the security token or the SAS token,
00:00
this is going to be something that explicitly defines,
00:00
or I should say would
00:00
reflect everything that you've defined,
00:00
all the parameters that you've defined.
00:00
That is going to be included within there.
00:00
It can be attached to a URI.
00:00
Like I mentioned earlier, SAS can be used to
00:00
delegate access to storage objects.
00:00
It can provision restrictions such as time limits,
00:00
and what it has access to,
00:00
and when it has access to it,
00:00
and based on what IP addresses and so forth,
00:00
so you can really cool note on that.
00:00
You can actually restrict
00:00
the SAS token to only work within
00:00
specific IP address ranges during specific time limits.
00:00
You can set it for a week or a few days,
00:00
maybe for a day within a few hours.
00:00
There's a lot of flexibility on what you
00:00
can do there and actually,
00:00
right after this lesson,
00:00
you're going to have the opportunity
00:00
to jump into a lab where you can actually
00:00
configure your own shared access signature.
00:00
That'll be a really good opportunity for you to see
00:00
firsthand the different settings
00:00
that you have available to you.
00:00
With a SAS token,
00:00
there is a query string that hold all
00:00
>> the necessary info.
00:00
>> It's what I was mentioning earlier,
00:00
is that you do have a lot of
00:00
those defined parameters already within there.
00:00
This is something that's going to be used
00:00
to authorize your requests.
00:00
Let's go ahead and talk about
00:00
the three different SAS tokens that are available.
00:00
We have user delegation SAS.
00:00
This SAS token is to access only specific things,
00:00
this is going to be containers, blobs or directories.
00:00
You can secure these SAS tokens
00:00
using Azure AD credentials or account keys.
00:00
It is recommended that you use Azure AD,
00:00
not account keys because account keys
00:00
those tend to be easily compromised.
00:00
Azure AD does offer some better
00:00
>> security features there.
00:00
>> With service level SAS,
00:00
this allows us to delegate access to
00:00
a single resource within a single storage service,
00:00
so much more restrictive.
00:00
This SAS token is
00:00
a query string that includes all of
00:00
the information required to authorize the requests.
00:00
Then for account level SAS,
00:00
this is going to be something that you
00:00
can use to delegate access to
00:00
service level operations that are not
00:00
necessarily or that may not be available to you,
00:00
through service level SAS.
00:00
This does delegate access to
00:00
resources at the storage account level.
00:00
You will get the ability to delegate that access
00:00
out to multiple storage services
00:00
within that storage account.
00:00
Last but not least, you can delegate
00:00
access to write and delete operations for containers,
00:00
queues, tables, and file shares.
00:00
It is flexible across
00:00
all different types of services that you
00:00
would be typically controlling
00:00
within your storage account.
00:00
All right, that wraps up this lecture.
00:00
We basically covered
00:00
what exactly Shared Access Signatures
00:00
are and why you want to use it.
00:00
It is obviously something that's going to
00:00
be very helpful whenever you
00:00
are collaborating with other parties
00:00
that don't necessarily have
00:00
the privileges to continually
00:00
work in the storage environments.
00:00
These could be third parties to your organizations
00:00
and third parties to your department specifically,
00:00
maybe they still work within the organization,
00:00
but not in your team directly.
00:00
Again, we also covered
00:00
the different types of SAS tokens available.
00:00
Now, that wraps up this lecture.
00:00
Next lesson, you should be following,
00:00
it will be the actual lab,
00:00
which will help you.
00:00
It'll walk you through the process of actually
00:00
standing up your first SAS token.
00:00
There you'll get to see the various steps
00:00
involved and the different parameters you can set.
00:00
All right, everyone hope this was helpful.
00:00
Reach out if you have any questions.
00:00
If not, I'll see you in the next lesson.
Up Next
Create and Manage Shared Access Signatures (SAS) Lab
45m
Access a Public Storage Container from an ASP.NET Web App
30m