Azure SAS Tokens: Security Best Practices

TL;DR

Shared Access Signatures (SAS) tokens provide temporary access to Azure resources. This guide shows you how to create and use them securely, focusing on minimising risk by limiting permissions and duration.

1. Understand SAS Token Types

There are three main types of SAS tokens:

• Account SAS: Grants access to the entire storage account. Avoid this if possible – it’s too broad.
• Service SAS: Grants access to a specific service (e.g., Blob, Queue, Table) within an account. Better than Account SAS but still potentially wide-ranging.
• Resource SAS: Grants access to a single resource (e.g., a specific blob). This is the most secure option and should be preferred whenever feasible.

2. Creating a SAS Token using Azure Portal

1. Navigate to the resource you want to protect (e.g., a Blob container in your Storage account).
2. Select Generate SAS. The exact location varies slightly depending on the resource type.
3. Configure permissions: Carefully select only the necessary permissions. Common options include Read, Write, Delete, List.
4. Set an expiry time: Choose the shortest possible duration that meets your needs. Avoid long-lived tokens.
5. Select Allowed protocols (HTTPS is recommended).
6. Allowed IP addresses (optional): Restrict access to specific IPs for added security.
7. Copy the generated SAS token and URL. Treat this token like a password!

3. Creating a SAS Token using Azure CLI

For automation, use the Azure CLI:

az storage container generate-sas --account-name <storage_account_name> --name <container_name> --permissions rwl --expiry 2024-12-31T23:59Z --https-only true

Replace placeholders with your actual values.

4. Best Practices for SAS Token Security

1. Principle of Least Privilege: Grant only the minimum permissions required for the task.
2. Short Expiry Times: Limit the token’s lifespan to reduce the window of opportunity for misuse. Consider tokens lasting minutes or hours, not days or months.
3. HTTPS Only: Always use HTTPS to encrypt communication and prevent interception of the SAS token.
4. IP Restrictions (where possible): Restrict access to known IP addresses if appropriate.
5. Avoid Account SAS: Prefer Service or Resource SAS tokens whenever possible.
6. Regular Rotation: If you must use longer-lived tokens, rotate them regularly.
7. Secure Storage of Tokens: Do not hardcode SAS tokens in your application code. Use environment variables, Azure Key Vault, or other secure storage mechanisms.
8. Monitor Usage: Enable logging and monitoring to detect suspicious activity related to SAS token usage.

5. Revoking a SAS Token

You can revoke a SAS token by:

• Deleting the resource it grants access to (e.g., deleting the blob).
• Regenerating the SAS token with new parameters, effectively invalidating the old one.
• Rotating storage account keys (this will invalidate all existing SAS tokens based on those keys). Be careful! This impacts other services using the same key.

6. Example Scenario: Securely Uploading a Blob

1. Create a Resource SAS token for the specific blob you want to upload to, granting only Write permission and setting a short expiry time (e.g., 1 hour).
2. Use this token in your application code to perform the upload operation.
3. Once the upload is complete, the token expires automatically.