WEBVTT 0:00:01.620000 --> 0:00:07.520000 In this video, we're going to talk about shared access signatures. 0:00:07.520000 --> 0:00:10.980000 Let's take a look at the topics that we're going to cover. 0:00:10.980000 --> 0:00:16.180000 We're going to start out talking about what shared access signatures are, 0:00:16.180000 --> 0:00:19.620000 what makes up the different components of a shared access signature. 0:00:19.620000 --> 0:00:27.120000 We'll also take a look at access policy, what your blob access policy 0:00:27.120000 --> 0:00:31.280000 is, and what works for other services as well. 0:00:31.280000 --> 0:00:33.880000 And then we're going to generate and use. 0:00:33.880000 --> 0:00:37.300000 I'm going to demonstrate generating and using a shared access signature 0:00:37.300000 --> 0:00:39.940000 in a couple of different ways. 0:00:39.940000 --> 0:00:44.640000 So let's get started talking about what shared access signatures are. 0:00:44.640000 --> 0:00:48.800000 First of all, you're going to define a shared access signature at a specific 0:00:48.800000 --> 0:00:52.060000 level. This can be at the account level. 0:00:52.060000 --> 0:00:55.560000 Now that can also be at the service level because when you create an account 0:00:55.560000 --> 0:01:00.380000 level shared access signature, you define which services that signature 0:01:00.380000 --> 0:01:03.540000 is for. But it could be for multiple services. 0:01:03.540000 --> 0:01:08.160000 You can also define this at the, what we call, collection level. 0:01:08.160000 --> 0:01:12.400000 Each one of the services has some way of collecting the actual items. 0:01:12.400000 --> 0:01:15.440000 So for example, blob storage has a container. 0:01:15.440000 --> 0:01:18.240000 Your file service has share. 0:01:18.240000 --> 0:01:21.240000 Your table has table and your queue has a queue. 0:01:21.240000 --> 0:01:28.060000 I can create a SAS token for each one of those levels. 0:01:28.060000 --> 0:01:31.640000 Now the next thing that you're going to define is a set of permissions 0:01:31.640000 --> 0:01:35.440000 associated with that SAS token. 0:01:35.440000 --> 0:01:37.840000 Again, this is some of the granularity that we have. 0:01:37.840000 --> 0:01:44.140000 You have the ability to set read and create and update, delete and list. 0:01:44.140000 --> 0:01:47.540000 And if you rearrange those a little bit, you have the crud l. 0:01:47.540000 --> 0:01:51.240000 If you're a developer, create read, update, delete and list. 0:01:51.240000 --> 0:01:55.880000 Now there's a few other permissions that are available based on what type 0:01:55.880000 --> 0:01:59.980000 of service, the queue service for example, has a couple of other permissions. 0:01:59.980000 --> 0:02:03.260000 But those are the basic set of permissions. 0:02:03.260000 --> 0:02:08.060000 Another setting that we have for a shared access signature, excuse me, 0:02:08.060000 --> 0:02:10.380000 SAS, is the time frame. 0:02:10.380000 --> 0:02:15.000000 The start and the expiration of the shared access signature, which of 0:02:15.000000 --> 0:02:15.860000 course you can control. 0:02:15.860000 --> 0:02:20.960000 One thing to be careful with is make sure that you are setting the expiration 0:02:20.960000 --> 0:02:24.700000 otherwise when you create the shared access signature, it's immediately 0:02:24.700000 --> 0:02:31.620000 expired. And the last option that we have when we set a shared access 0:02:31.620000 --> 0:02:34.520000 signature is IP filtering. 0:02:34.520000 --> 0:02:41.560000 Setting up the IP address range or ranges at which, or well at which the 0:02:41.560000 --> 0:02:46.100000 IP address or excuse me, the SAS will be valid. 0:02:46.100000 --> 0:02:50.820000 Now there's another option altogether for creating a SAS token. 0:02:50.820000 --> 0:02:53.640000 I really should say there's two different options for creating a SAS token. 0:02:53.640000 --> 0:02:58.720000 One is to create what's called an ad hoc SAS token or an ad hoc SAS. 0:02:58.720000 --> 0:03:04.000000 And that is created directly and it's actually created based on one of 0:03:04.000000 --> 0:03:06.920000 the keys for the storage account. 0:03:06.920000 --> 0:03:09.640000 The other approach is to create a policy. 0:03:09.640000 --> 0:03:16.440000 I defined a policy at the container level and that policy defines a template 0:03:16.440000 --> 0:03:21.280000 for SAS tokens that are generated based on the policy. 0:03:21.280000 --> 0:03:26.740000 In other words, I would set for example the time frame, the expiration 0:03:26.740000 --> 0:03:31.760000 of the policy. And then when I generate a SAS token, the SAS token is 0:03:31.760000 --> 0:03:34.680000 going to have that expiration. 0:03:34.680000 --> 0:03:38.340000 And same thing for IP address, filtering, permissions, etc. 0:03:38.340000 --> 0:03:46.640000 Now, one advantage of using policy is that if I need to revoke a SAS token, 0:03:46.640000 --> 0:03:52.580000 if I create an ad hoc SAS token, the only way to revoke that is to change 0:03:52.580000 --> 0:03:56.620000 the signature. It's not the signature, that you can't change. 0:03:56.620000 --> 0:04:01.000000 To change the key, in other words, I would have to refresh the key, which 0:04:01.000000 --> 0:04:05.660000 of course would invalidate my SAS token, my signature, but it would also 0:04:05.660000 --> 0:04:08.440000 invalidate anything else that was using that key. 0:04:08.440000 --> 0:04:13.800000 With a policy, the SAS token is actually tied to the policy itself. 0:04:13.800000 --> 0:04:20.380000 So all I would need to do to take away the SAS token is to simply delete 0:04:20.380000 --> 0:04:25.740000 the key and delete the policy, and then the SAS token is no longer valid. 0:04:25.740000 --> 0:04:27.660000 And so that's an advantage of using policies. 0:04:27.660000 --> 0:04:34.220000 One thing to be aware of, you can only have five policies per container 0:04:34.220000 --> 0:04:37.960000 right now at the time of this recording, which means that you just have 0:04:37.960000 --> 0:04:41.640000 to be a little bit careful with how you architect your storage. 0:04:41.640000 --> 0:04:44.660000 If you want to use a lot of policies, you're going to have to use multiple 0:04:44.660000 --> 0:04:46.400000 containers, and that's fine. 0:04:46.400000 --> 0:04:48.720000 It's just something to think about. 0:04:48.720000 --> 0:04:54.100000 Now, let's take a look at the structure of a shared access signature. 0:04:54.100000 --> 0:05:00.540000 Here, I've got the basic example of a shared access signature. 0:05:00.540000 --> 0:05:05.400000 And what you'll notice is that there are sections. 0:05:05.400000 --> 0:05:19.720000 I've got SP, I have ST, I have SE, I have SPR, SV, SIG, and SR. 0:05:19.720000 --> 0:05:21.940000 SP is the permission level. 0:05:21.940000 --> 0:05:24.340000 That would be a combination of the permissions that are available, such 0:05:24.340000 --> 0:05:26.780000 as read, write, etc. 0:05:26.780000 --> 0:05:33.540000 ST and SE define your timeframe, TF. 0:05:33.540000 --> 0:05:35.220000 SPR is protocol. 0:05:35.220000 --> 0:05:39.960000 For example, I could set that to be just HTTPS, so that you can only use 0:05:39.960000 --> 0:05:43.060000 this over HTTPS. 0:05:43.060000 --> 0:05:48.500000 SV is the version of the API that was used to generate this SAS, and you 0:05:48.500000 --> 0:05:50.240000 would not set that. 0:05:50.240000 --> 0:05:53.140000 SIG is the actual signature, and I'm going to talk about that a little 0:05:53.140000 --> 0:05:54.660000 bit more in just a moment. 0:05:54.660000 --> 0:05:56.500000 And then resource is the resource level. 0:05:56.500000 --> 0:06:00.700000 Is this at the account level, is it the blah blah blah, or container level? 0:06:00.700000 --> 0:06:05.560000 Let's take a look at an actual shared access signature. 0:06:05.560000 --> 0:06:10.760000 So now I have the same structure, but I have the values. 0:06:10.760000 --> 0:06:17.580000 So for example, I've got the R there, read permission. 0:06:17.580000 --> 0:06:20.900000 Here's the start time for this particular SAS. 0:06:20.900000 --> 0:06:24.820000 Here's the expiration time for that particular SAS. 0:06:24.820000 --> 0:06:34.260000 So when from 5.8 until 5.9, protocols limited to HTTPS, the API version 0:06:34.260000 --> 0:06:39.400000 that was used to generate the SAS token is 2018-0328. 0:06:39.400000 --> 0:06:43.880000 Here's the SAS token signature, and then here's the resource. 0:06:43.880000 --> 0:06:47.160000 Resource B meaning that it was generated for a blah. 0:06:47.160000 --> 0:06:55.100000 Now, the reason that you can't invalidate a SAS token that's an ad hoc 0:06:55.100000 --> 0:07:01.720000 SAS token is because the SAS token itself is not stored anywhere in the 0:07:01.720000 --> 0:07:06.040000 database. In Azure, what happens is that when you create a SAS token, 0:07:06.040000 --> 0:07:10.740000 you define all of these values, all of these parameters, if you will. 0:07:10.740000 --> 0:07:15.440000 The writes, the time frame, whether or not you're going to limit protocol, 0:07:15.440000 --> 0:07:19.960000 et cetera. And what the system does, if I create an ad hoc, it's going 0:07:19.960000 --> 0:07:24.480000 to take all that data and it's going to sign it with one of its keys, 0:07:24.480000 --> 0:07:26.420000 typically by default the primary key. 0:07:26.420000 --> 0:07:30.940000 And then you'll get that and you can use that, however, it's not stored 0:07:30.940000 --> 0:07:34.800000 anywhere. So when I submit a request, and remember everything coming in 0:07:34.800000 --> 0:07:38.480000 is going to come in via HTTP because it's a REST API. 0:07:38.480000 --> 0:07:42.900000 When I submit a request, I include the SAS token. 0:07:42.900000 --> 0:07:47.680000 And what happens is that on the other side, Azure is going to unpack that 0:07:47.680000 --> 0:07:51.400000 SAS token, it's going to check the values, it's going to re-sign them 0:07:51.400000 --> 0:07:56.320000 using the key and determine if the signature is the same. 0:07:56.320000 --> 0:07:58.620000 Then it's a valid SAS token. 0:07:58.620000 --> 0:08:02.520000 So the only way to invalidate that SAS token if it's based on a key is 0:08:02.520000 --> 0:08:04.760000 to recycle the key. 0:08:04.760000 --> 0:08:09.980000 If I create a SAS token and I base it on a policy, then the SAS token 0:08:09.980000 --> 0:08:13.000000 references the policy, not the key. 0:08:13.000000 --> 0:08:17.780000 Therefore, if I want to invalidate that SAS token, if I delete the policy, 0:08:17.780000 --> 0:08:21.260000 policies no longer there, the SAS token is no longer valid. 0:08:21.260000 --> 0:08:25.060000 Also using a policy means that if I make changes to the policy because 0:08:25.060000 --> 0:08:28.740000 the token actually just references the policy and gets all of its settings 0:08:28.740000 --> 0:08:34.380000 from that, if I change the settings of a policy, it will effectively change 0:08:34.380000 --> 0:08:35.780000 the settings of a token. 0:08:35.780000 --> 0:08:41.340000 So if I have a policy that expires tomorrow, I generate a SAS token based 0:08:41.340000 --> 0:08:43.440000 on that, I decide I want to extend it a week. 0:08:43.440000 --> 0:08:47.120000 All I have to do is extend the policy and the token will automatically 0:08:47.120000 --> 0:08:54.880000 pick that up. So there's a lot of advantages to using a SAS token. 0:08:54.880000 --> 0:09:01.100000 Let's now take a look at a demonstration, a couple demonstrations actually. 0:09:01.100000 --> 0:09:03.760000 I can find these here. 0:09:03.760000 --> 0:09:07.860000 We're going to start out with a code based demonstration. 0:09:07.860000 --> 0:09:12.620000 In this code based demonstration, I'm going to upload some files. 0:09:12.620000 --> 0:09:15.980000 The reason I'm doing this with code is because I can do all of it very 0:09:15.980000 --> 0:09:18.760000 easily and it allows me to be lazy. 0:09:18.760000 --> 0:09:20.400000 That's really what it comes down to. 0:09:20.400000 --> 0:09:26.780000 I've got an account that I connect up to, same connection I've used before, 0:09:26.780000 --> 0:09:30.300000 and I'm going to just go all the way down to establishing connection to 0:09:30.300000 --> 0:09:31.120000 a specific container. 0:09:31.120000 --> 0:09:36.860000 So I have a container, SAS demo, I access that container, I create it 0:09:36.860000 --> 0:09:43.480000 if it doesn't already exist, and I make sure that that container does 0:09:43.480000 --> 0:09:47.220000 not allow public access, which should be the default, but this is just 0:09:47.220000 --> 0:09:53.200000 making sure. So at the end of line 25, I know I have a storage account 0:09:53.200000 --> 0:09:58.740000 blob container, and I know that it doesn't allow public anonymous read 0:09:58.740000 --> 0:10:03.480000 access. Then what I do is I cycle through the files that are in a directory. 0:10:03.480000 --> 0:10:08.480000 I just have some PNG files in a directory, and long story short, I upload 0:10:08.480000 --> 0:10:13.780000 them. So there I get a block blob reference, and then I upload them from 0:10:13.780000 --> 0:10:19.440000 the file. Then what I do is I generate a shared access signature. 0:10:19.440000 --> 0:10:25.000000 I call blob, I use the blob, I get the shared access signature, and I 0:10:25.000000 --> 0:10:28.980000 specify I want read permission, and I want it to expire. 0:10:28.980000 --> 0:10:31.720000 One month from today. 0:10:31.720000 --> 0:10:37.220000 And then I write out the SAS information so that I can actually use it. 0:10:37.220000 --> 0:10:39.820000 So let's see what this does. 0:10:39.820000 --> 0:10:45.480000 So I'm going to go ahead and run this, and then we'll pull it over once 0:10:45.480000 --> 0:10:58.960000 it comes up. There we go. 0:10:58.960000 --> 0:11:02.640000 So I'm going to go ahead and do the URL of the file plus the actual token. 0:11:02.640000 --> 0:11:05.820000 And what I'm going to do is I'm going to go ahead and just grab that. 0:11:05.820000 --> 0:11:16.220000 And let's go over to my browser and let's go ahead and paste and go. 0:11:16.220000 --> 0:11:21.240000 And what that does, you see I've run this a few times, is it downloads 0:11:21.240000 --> 0:11:27.280000 that file. However, if I go back and try it again, but I try it without 0:11:27.280000 --> 0:11:37.320000 the token. So let's take all that away. 0:11:37.320000 --> 0:11:39.980000 It's going to tell me that that file doesn't exist. 0:11:39.980000 --> 0:11:44.800000 Well, I know it exists, but I can't access that file anonymously, which 0:11:44.800000 --> 0:11:48.380000 is what the browser is doing, unless I have the token. 0:11:48.380000 --> 0:11:53.060000 Now what I'm going to do is I'm going to cheat a little bit. 0:11:53.060000 --> 0:11:54.160000 Let's see. I'm not going to cheat. 0:11:54.160000 --> 0:11:55.440000 Now we won't cheat. 0:11:55.440000 --> 0:12:04.940000 OK. I am going to work with policy and also SAS. 0:12:04.940000 --> 0:12:06.880000 So SAS policy and a SAS. 0:12:06.880000 --> 0:12:12.880000 And I'm going to do this from PowerShell. 0:12:12.880000 --> 0:12:16.940000 If I can manage to do this correctly, sorry about that. 0:12:16.940000 --> 0:12:19.840000 Let's bring PowerShell back up. 0:12:19.840000 --> 0:12:22.420000 There we go. The magic of PowerShell. 0:12:22.420000 --> 0:12:27.660000 OK. So what I'm going to do is, first of all, I'm going to make sure I 0:12:27.660000 --> 0:12:31.000000 have the right container name, which I don't at the moment. 0:12:31.000000 --> 0:12:34.340000 That's container name, SAS demo. 0:12:34.340000 --> 0:12:44.080000 I'm going to use this container that already exists. 0:12:44.080000 --> 0:12:45.320000 If I can manage. 0:12:45.320000 --> 0:12:47.380000 I got it. Good. OK. 0:12:47.380000 --> 0:12:50.420000 Now I'm just going to set up some variables, a resource group name, the 0:12:50.420000 --> 0:12:53.180000 storage account name, container name, policy name. 0:12:53.180000 --> 0:12:54.900000 I'm going to grab those. 0:12:54.900000 --> 0:12:57.080000 Then I'm going to establish my context. 0:12:57.080000 --> 0:12:57.840000 So I've got the key. 0:12:57.840000 --> 0:12:59.500000 I've got the context. 0:12:59.500000 --> 0:13:04.700000 And that should connect me up to my storage account. 0:13:04.700000 --> 0:13:10.080000 All right. We're good there. 0:13:10.080000 --> 0:13:14.580000 Now what I'm going to do is I'm going to use that context to create a 0:13:14.580000 --> 0:13:17.700000 new stored access policy. 0:13:17.700000 --> 0:13:20.460000 And I'm going to spare you watching me type. 0:13:20.460000 --> 0:13:22.740000 It's going to look like I type amazingly fast. 0:13:22.740000 --> 0:13:27.680000 There we go. So I have a new AZ storage container, stored access policy. 0:13:27.680000 --> 0:13:29.760000 I specify the container name. 0:13:29.760000 --> 0:13:33.740000 I specify the policy name, which is just demo policy. 0:13:33.740000 --> 0:13:36.960000 I give it the permission of R for read. 0:13:36.960000 --> 0:13:38.700000 I give it an expiration. 0:13:38.700000 --> 0:13:40.060000 And I need the context. 0:13:40.060000 --> 0:13:43.100000 Now I could set additional options. 0:13:43.100000 --> 0:13:45.580000 If I go there, I could set the start time. 0:13:45.580000 --> 0:13:54.180000 I could set a few other options there, such as time out and other concurrent 0:13:54.180000 --> 0:13:56.080000 tasks. Those are kind of standard. 0:13:56.080000 --> 0:13:59.240000 But that gives me the policy. 0:13:59.240000 --> 0:14:03.920000 So we're going to go ahead and create a policy. 0:14:03.920000 --> 0:14:06.420000 All right. So now I have a policy. 0:14:06.420000 --> 0:14:11.360000 The next thing that I want to do is I want to use that policy to create 0:14:11.360000 --> 0:14:16.680000 a token. And I'm going to create a token that is going to work on a specific 0:14:16.680000 --> 0:14:22.000000 file. I'm going to create a blob token. 0:14:22.000000 --> 0:14:28.940000 And again, not going to make you watch me go through this. 0:14:28.940000 --> 0:14:33.260000 But I've got a new AZ storage blob SAS token. 0:14:33.260000 --> 0:14:34.700000 I specify the container. 0:14:34.700000 --> 0:14:37.620000 I specify the blob that I wanted associated with. 0:14:37.620000 --> 0:14:44.280000 And that's one of the blobs that I uploaded over here somewhere. 0:14:44.280000 --> 0:14:48.320000 I need certified. 0:14:48.320000 --> 0:14:53.200000 And then the policy and the context. 0:14:53.200000 --> 0:14:56.140000 So the policy is the policy I just created. 0:14:56.140000 --> 0:15:02.960000 And if I run this, there is my token. 0:15:02.960000 --> 0:15:07.980000 If I've done this right, I'll use the right example. 0:15:07.980000 --> 0:15:13.740000 Copy that. Go back here. 0:15:13.740000 --> 0:15:17.660000 All right. So here was my I-NE certified. 0:15:17.660000 --> 0:15:19.860000 I could not access. 0:15:19.860000 --> 0:15:26.860000 But now if I put that token that I just generated, now it downloaded it. 0:15:26.860000 --> 0:15:29.240000 And you can just see it popped up here. 0:15:29.240000 --> 0:15:32.220000 I probably should have put this on another page so you can see that it 0:15:32.220000 --> 0:15:33.420000 does download it. 0:15:33.420000 --> 0:15:39.880000 We can always use another I -NE certified person or logo. 0:15:39.880000 --> 0:15:43.120000 Oh, and here we go. 0:15:43.120000 --> 0:15:45.320000 It's going to be useful if I actually attach. 0:15:45.320000 --> 0:15:48.000000 That sort of killed the whole concept. 0:15:48.000000 --> 0:15:58.140000 Copy. Paste. And let's try that again. 0:15:58.140000 --> 0:16:01.380000 There you go. Well, at least now you can see that it downloaded copy seven 0:16:01.380000 --> 0:16:04.500000 of the particular file. 0:16:04.500000 --> 0:16:10.000000 And that's really the way you use SAS, either directly or via policy. 0:16:10.000000 --> 0:16:13.100000 Now, it so happened that I use the SAS directly programmatically. 0:16:13.100000 --> 0:16:17.700000 And I used a policy through the scripting environment. 0:16:17.700000 --> 0:16:22.000000 But honestly, that's just a matter of wanting to show you different options. 0:16:22.000000 --> 0:16:24.060000 There's not limited one way or the other. 0:16:24.060000 --> 0:16:26.340000 You have a lot of functionality with SAS tokens. 0:16:26.340000 --> 0:16:29.520000 And it's definitely something that you want to keep in mind when you're 0:16:29.520000 --> 0:16:34.920000 architecting any solutions that involve access to your storage accounts.