WEBVTT

0:00:01.620000 --> 0:00:07.520000
 In this video, we're going to talk
 about shared access signatures.

0:00:07.520000 --> 0:00:10.980000
 Let's take a look at the topics
 that we're going to cover.

0:00:10.980000 --> 0:00:16.180000
 We're going to start out talking about
 what shared access signatures are,

0:00:16.180000 --> 0:00:19.620000
 what makes up the different components
 of a shared access signature.

0:00:19.620000 --> 0:00:27.120000
 We'll also take a look at access policy,
 what your blob access policy

0:00:27.120000 --> 0:00:31.280000
 is, and what works for
 other services as well.

0:00:31.280000 --> 0:00:33.880000
 And then we're going
 to generate and use.

0:00:33.880000 --> 0:00:37.300000
 I'm going to demonstrate generating
 and using a shared access signature

0:00:37.300000 --> 0:00:39.940000
 in a couple of different ways.

0:00:39.940000 --> 0:00:44.640000
 So let's get started talking about
 what shared access signatures are.

0:00:44.640000 --> 0:00:48.800000
 First of all, you're going to define a
 shared access signature at a specific

0:00:48.800000 --> 0:00:52.060000
 level. This can be at
 the account level.

0:00:52.060000 --> 0:00:55.560000
 Now that can also be at the service level
 because when you create an account

0:00:55.560000 --> 0:01:00.380000
 level shared access signature, you define
 which services that signature

0:01:00.380000 --> 0:01:03.540000
 is for. But it could be
 for multiple services.

0:01:03.540000 --> 0:01:08.160000
 You can also define this at the,
 what we call, collection level.

0:01:08.160000 --> 0:01:12.400000
 Each one of the services has some way
 of collecting the actual items.

0:01:12.400000 --> 0:01:15.440000
 So for example, blob storage
 has a container.

0:01:15.440000 --> 0:01:18.240000
 Your file service has share.

0:01:18.240000 --> 0:01:21.240000
 Your table has table and
 your queue has a queue.

0:01:21.240000 --> 0:01:28.060000
 I can create a SAS token for
 each one of those levels.

0:01:28.060000 --> 0:01:31.640000
 Now the next thing that you're going
 to define is a set of permissions

0:01:31.640000 --> 0:01:35.440000
 associated with that SAS token.

0:01:35.440000 --> 0:01:37.840000
 Again, this is some of the
 granularity that we have.

0:01:37.840000 --> 0:01:44.140000
 You have the ability to set read and
 create and update, delete and list.

0:01:44.140000 --> 0:01:47.540000
 And if you rearrange those a little
 bit, you have the crud l.

0:01:47.540000 --> 0:01:51.240000
 If you're a developer, create
 read, update, delete and list.

0:01:51.240000 --> 0:01:55.880000
 Now there's a few other permissions that
 are available based on what type

0:01:55.880000 --> 0:01:59.980000
 of service, the queue service for example,
 has a couple of other permissions.

0:01:59.980000 --> 0:02:03.260000
 But those are the basic
 set of permissions.

0:02:03.260000 --> 0:02:08.060000
 Another setting that we have for a
 shared access signature, excuse me,

0:02:08.060000 --> 0:02:10.380000
 SAS, is the time frame.

0:02:10.380000 --> 0:02:15.000000
 The start and the expiration of the
 shared access signature, which of

0:02:15.000000 --> 0:02:15.860000
 course you can control.

0:02:15.860000 --> 0:02:20.960000
 One thing to be careful with is make sure
 that you are setting the expiration

0:02:20.960000 --> 0:02:24.700000
 otherwise when you create the shared
 access signature, it's immediately

0:02:24.700000 --> 0:02:31.620000
 expired. And the last option that we
 have when we set a shared access

0:02:31.620000 --> 0:02:34.520000
 signature is IP filtering.

0:02:34.520000 --> 0:02:41.560000
 Setting up the IP address range or ranges
 at which, or well at which the

0:02:41.560000 --> 0:02:46.100000
 IP address or excuse me,
 the SAS will be valid.

0:02:46.100000 --> 0:02:50.820000
 Now there's another option altogether
 for creating a SAS token.

0:02:50.820000 --> 0:02:53.640000
 I really should say there's two different
 options for creating a SAS token.

0:02:53.640000 --> 0:02:58.720000
 One is to create what's called an
 ad hoc SAS token or an ad hoc SAS.

0:02:58.720000 --> 0:03:04.000000
 And that is created directly and it's
 actually created based on one of

0:03:04.000000 --> 0:03:06.920000
 the keys for the storage account.

0:03:06.920000 --> 0:03:09.640000
 The other approach is
 to create a policy.

0:03:09.640000 --> 0:03:16.440000
 I defined a policy at the container level
 and that policy defines a template

0:03:16.440000 --> 0:03:21.280000
 for SAS tokens that are generated
 based on the policy.

0:03:21.280000 --> 0:03:26.740000
 In other words, I would set for example
 the time frame, the expiration

0:03:26.740000 --> 0:03:31.760000
 of the policy. And then when I generate
 a SAS token, the SAS token is

0:03:31.760000 --> 0:03:34.680000
 going to have that expiration.

0:03:34.680000 --> 0:03:38.340000
 And same thing for IP address,
 filtering, permissions, etc.

0:03:38.340000 --> 0:03:46.640000
 Now, one advantage of using policy is
 that if I need to revoke a SAS token,

0:03:46.640000 --> 0:03:52.580000
 if I create an ad hoc SAS token, the
 only way to revoke that is to change

0:03:52.580000 --> 0:03:56.620000
 the signature. It's not the signature,
 that you can't change.

0:03:56.620000 --> 0:04:01.000000
 To change the key, in other words, I
 would have to refresh the key, which

0:04:01.000000 --> 0:04:05.660000
 of course would invalidate my SAS token,
 my signature, but it would also

0:04:05.660000 --> 0:04:08.440000
 invalidate anything else
 that was using that key.

0:04:08.440000 --> 0:04:13.800000
 With a policy, the SAS token is actually
 tied to the policy itself.

0:04:13.800000 --> 0:04:20.380000
 So all I would need to do to take away
 the SAS token is to simply delete

0:04:20.380000 --> 0:04:25.740000
 the key and delete the policy, and then
 the SAS token is no longer valid.

0:04:25.740000 --> 0:04:27.660000
 And so that's an advantage
 of using policies.

0:04:27.660000 --> 0:04:34.220000
 One thing to be aware of, you can only
 have five policies per container

0:04:34.220000 --> 0:04:37.960000
 right now at the time of this recording,
 which means that you just have

0:04:37.960000 --> 0:04:41.640000
 to be a little bit careful with
 how you architect your storage.

0:04:41.640000 --> 0:04:44.660000
 If you want to use a lot of policies,
 you're going to have to use multiple

0:04:44.660000 --> 0:04:46.400000
 containers, and that's fine.

0:04:46.400000 --> 0:04:48.720000
 It's just something
 to think about.

0:04:48.720000 --> 0:04:54.100000
 Now, let's take a look at the structure
 of a shared access signature.

0:04:54.100000 --> 0:05:00.540000
 Here, I've got the basic example
 of a shared access signature.

0:05:00.540000 --> 0:05:05.400000
 And what you'll notice is
 that there are sections.

0:05:05.400000 --> 0:05:19.720000
 I've got SP, I have ST, I have SE,
 I have SPR, SV, SIG, and SR.

0:05:19.720000 --> 0:05:21.940000
 SP is the permission level.

0:05:21.940000 --> 0:05:24.340000
 That would be a combination of the permissions
 that are available, such

0:05:24.340000 --> 0:05:26.780000
 as read, write, etc.

0:05:26.780000 --> 0:05:33.540000
 ST and SE define your
 timeframe, TF.

0:05:33.540000 --> 0:05:35.220000
 SPR is protocol.

0:05:35.220000 --> 0:05:39.960000
 For example, I could set that to be
 just HTTPS, so that you can only use

0:05:39.960000 --> 0:05:43.060000
 this over HTTPS.

0:05:43.060000 --> 0:05:48.500000
 SV is the version of the API that was
 used to generate this SAS, and you

0:05:48.500000 --> 0:05:50.240000
 would not set that.

0:05:50.240000 --> 0:05:53.140000
 SIG is the actual signature, and I'm
 going to talk about that a little

0:05:53.140000 --> 0:05:54.660000
 bit more in just a moment.

0:05:54.660000 --> 0:05:56.500000
 And then resource is
 the resource level.

0:05:56.500000 --> 0:06:00.700000
 Is this at the account level, is it the
 blah blah blah, or container level?

0:06:00.700000 --> 0:06:05.560000
 Let's take a look at an actual
 shared access signature.

0:06:05.560000 --> 0:06:10.760000
 So now I have the same structure,
 but I have the values.

0:06:10.760000 --> 0:06:17.580000
 So for example, I've got the
 R there, read permission.

0:06:17.580000 --> 0:06:20.900000
 Here's the start time for
 this particular SAS.

0:06:20.900000 --> 0:06:24.820000
 Here's the expiration time
 for that particular SAS.

0:06:24.820000 --> 0:06:34.260000
 So when from 5.8 until 5.9, protocols
 limited to HTTPS, the API version

0:06:34.260000 --> 0:06:39.400000
 that was used to generate the
 SAS token is 2018-0328.

0:06:39.400000 --> 0:06:43.880000
 Here's the SAS token signature,
 and then here's the resource.

0:06:43.880000 --> 0:06:47.160000
 Resource B meaning that it
 was generated for a blah.

0:06:47.160000 --> 0:06:55.100000
 Now, the reason that you can't invalidate
 a SAS token that's an ad hoc

0:06:55.100000 --> 0:07:01.720000
 SAS token is because the SAS token itself
 is not stored anywhere in the

0:07:01.720000 --> 0:07:06.040000
 database. In Azure, what happens is
 that when you create a SAS token,

0:07:06.040000 --> 0:07:10.740000
 you define all of these values, all
 of these parameters, if you will.

0:07:10.740000 --> 0:07:15.440000
 The writes, the time frame, whether or
 not you're going to limit protocol,

0:07:15.440000 --> 0:07:19.960000
 et cetera. And what the system does,
 if I create an ad hoc, it's going

0:07:19.960000 --> 0:07:24.480000
 to take all that data and it's going
 to sign it with one of its keys,

0:07:24.480000 --> 0:07:26.420000
 typically by default
 the primary key.

0:07:26.420000 --> 0:07:30.940000
 And then you'll get that and you can
 use that, however, it's not stored

0:07:30.940000 --> 0:07:34.800000
 anywhere. So when I submit a request,
 and remember everything coming in

0:07:34.800000 --> 0:07:38.480000
 is going to come in via HTTP
 because it's a REST API.

0:07:38.480000 --> 0:07:42.900000
 When I submit a request,
 I include the SAS token.

0:07:42.900000 --> 0:07:47.680000
 And what happens is that on the other
 side, Azure is going to unpack that

0:07:47.680000 --> 0:07:51.400000
 SAS token, it's going to check the
 values, it's going to re-sign them

0:07:51.400000 --> 0:07:56.320000
 using the key and determine if
 the signature is the same.

0:07:56.320000 --> 0:07:58.620000
 Then it's a valid SAS token.

0:07:58.620000 --> 0:08:02.520000
 So the only way to invalidate that
 SAS token if it's based on a key is

0:08:02.520000 --> 0:08:04.760000
 to recycle the key.

0:08:04.760000 --> 0:08:09.980000
 If I create a SAS token and I base
 it on a policy, then the SAS token

0:08:09.980000 --> 0:08:13.000000
 references the policy,
 not the key.

0:08:13.000000 --> 0:08:17.780000
 Therefore, if I want to invalidate that
 SAS token, if I delete the policy,

0:08:17.780000 --> 0:08:21.260000
 policies no longer there, the
 SAS token is no longer valid.

0:08:21.260000 --> 0:08:25.060000
 Also using a policy means that if I
 make changes to the policy because

0:08:25.060000 --> 0:08:28.740000
 the token actually just references the
 policy and gets all of its settings

0:08:28.740000 --> 0:08:34.380000
 from that, if I change the settings of
 a policy, it will effectively change

0:08:34.380000 --> 0:08:35.780000
 the settings of a token.

0:08:35.780000 --> 0:08:41.340000
 So if I have a policy that expires tomorrow,
 I generate a SAS token based

0:08:41.340000 --> 0:08:43.440000
 on that, I decide I want
 to extend it a week.

0:08:43.440000 --> 0:08:47.120000
 All I have to do is extend the policy
 and the token will automatically

0:08:47.120000 --> 0:08:54.880000
 pick that up. So there's a lot of
 advantages to using a SAS token.

0:08:54.880000 --> 0:09:01.100000
 Let's now take a look at a demonstration,
 a couple demonstrations actually.

0:09:01.100000 --> 0:09:03.760000
 I can find these here.

0:09:03.760000 --> 0:09:07.860000
 We're going to start out with
 a code based demonstration.

0:09:07.860000 --> 0:09:12.620000
 In this code based demonstration,
 I'm going to upload some files.

0:09:12.620000 --> 0:09:15.980000
 The reason I'm doing this with code
 is because I can do all of it very

0:09:15.980000 --> 0:09:18.760000
 easily and it allows
 me to be lazy.

0:09:18.760000 --> 0:09:20.400000
 That's really what
 it comes down to.

0:09:20.400000 --> 0:09:26.780000
 I've got an account that I connect up
 to, same connection I've used before,

0:09:26.780000 --> 0:09:30.300000
 and I'm going to just go all the way
 down to establishing connection to

0:09:30.300000 --> 0:09:31.120000
 a specific container.

0:09:31.120000 --> 0:09:36.860000
 So I have a container, SAS demo, I
 access that container, I create it

0:09:36.860000 --> 0:09:43.480000
 if it doesn't already exist, and I
 make sure that that container does

0:09:43.480000 --> 0:09:47.220000
 not allow public access, which should
 be the default, but this is just

0:09:47.220000 --> 0:09:53.200000
 making sure. So at the end of line
 25, I know I have a storage account

0:09:53.200000 --> 0:09:58.740000
 blob container, and I know that it
 doesn't allow public anonymous read

0:09:58.740000 --> 0:10:03.480000
 access. Then what I do is I cycle through
 the files that are in a directory.

0:10:03.480000 --> 0:10:08.480000
 I just have some PNG files in a directory,
 and long story short, I upload

0:10:08.480000 --> 0:10:13.780000
 them. So there I get a block blob reference,
 and then I upload them from

0:10:13.780000 --> 0:10:19.440000
 the file. Then what I do is I generate
 a shared access signature.

0:10:19.440000 --> 0:10:25.000000
 I call blob, I use the blob, I get
 the shared access signature, and I

0:10:25.000000 --> 0:10:28.980000
 specify I want read permission,
 and I want it to expire.

0:10:28.980000 --> 0:10:31.720000
 One month from today.

0:10:31.720000 --> 0:10:37.220000
 And then I write out the SAS information
 so that I can actually use it.

0:10:37.220000 --> 0:10:39.820000
 So let's see what this does.

0:10:39.820000 --> 0:10:45.480000
 So I'm going to go ahead and run this,
 and then we'll pull it over once

0:10:45.480000 --> 0:10:58.960000
 it comes up. There we go.

0:10:58.960000 --> 0:11:02.640000
 So I'm going to go ahead and do the URL
 of the file plus the actual token.

0:11:02.640000 --> 0:11:05.820000
 And what I'm going to do is I'm going
 to go ahead and just grab that.

0:11:05.820000 --> 0:11:16.220000
 And let's go over to my browser and
 let's go ahead and paste and go.

0:11:16.220000 --> 0:11:21.240000
 And what that does, you see I've run
 this a few times, is it downloads

0:11:21.240000 --> 0:11:27.280000
 that file. However, if I go back and
 try it again, but I try it without

0:11:27.280000 --> 0:11:37.320000
 the token. So let's
 take all that away.

0:11:37.320000 --> 0:11:39.980000
 It's going to tell me that
 that file doesn't exist.

0:11:39.980000 --> 0:11:44.800000
 Well, I know it exists, but I can't
 access that file anonymously, which

0:11:44.800000 --> 0:11:48.380000
 is what the browser is doing,
 unless I have the token.

0:11:48.380000 --> 0:11:53.060000
 Now what I'm going to do is I'm
 going to cheat a little bit.

0:11:53.060000 --> 0:11:54.160000
 Let's see. I'm not going to cheat.


0:11:54.160000 --> 0:11:55.440000
 Now we won't cheat.

0:11:55.440000 --> 0:12:04.940000
 OK. I am going to work with
 policy and also SAS.

0:12:04.940000 --> 0:12:06.880000
 So SAS policy and a SAS.

0:12:06.880000 --> 0:12:12.880000
 And I'm going to do this
 from PowerShell.

0:12:12.880000 --> 0:12:16.940000
 If I can manage to do this correctly,
 sorry about that.

0:12:16.940000 --> 0:12:19.840000
 Let's bring PowerShell back up.

0:12:19.840000 --> 0:12:22.420000
 There we go. The magic
 of PowerShell.

0:12:22.420000 --> 0:12:27.660000
 OK. So what I'm going to do is, first
 of all, I'm going to make sure I

0:12:27.660000 --> 0:12:31.000000
 have the right container name,
 which I don't at the moment.

0:12:31.000000 --> 0:12:34.340000
 That's container name, SAS demo.

0:12:34.340000 --> 0:12:44.080000
 I'm going to use this container
 that already exists.

0:12:44.080000 --> 0:12:45.320000
 If I can manage.

0:12:45.320000 --> 0:12:47.380000
 I got it. Good. OK.

0:12:47.380000 --> 0:12:50.420000
 Now I'm just going to set up some variables,
 a resource group name, the

0:12:50.420000 --> 0:12:53.180000
 storage account name, container
 name, policy name.

0:12:53.180000 --> 0:12:54.900000
 I'm going to grab those.

0:12:54.900000 --> 0:12:57.080000
 Then I'm going to establish
 my context.

0:12:57.080000 --> 0:12:57.840000
 So I've got the key.

0:12:57.840000 --> 0:12:59.500000
 I've got the context.

0:12:59.500000 --> 0:13:04.700000
 And that should connect me
 up to my storage account.

0:13:04.700000 --> 0:13:10.080000
 All right. We're good there.

0:13:10.080000 --> 0:13:14.580000
 Now what I'm going to do is I'm going
 to use that context to create a

0:13:14.580000 --> 0:13:17.700000
 new stored access policy.

0:13:17.700000 --> 0:13:20.460000
 And I'm going to spare
 you watching me type.

0:13:20.460000 --> 0:13:22.740000
 It's going to look like
 I type amazingly fast.

0:13:22.740000 --> 0:13:27.680000
 There we go. So I have a new AZ storage
 container, stored access policy.

0:13:27.680000 --> 0:13:29.760000
 I specify the container name.

0:13:29.760000 --> 0:13:33.740000
 I specify the policy name,
 which is just demo policy.

0:13:33.740000 --> 0:13:36.960000
 I give it the permission
 of R for read.

0:13:36.960000 --> 0:13:38.700000
 I give it an expiration.

0:13:38.700000 --> 0:13:40.060000
 And I need the context.

0:13:40.060000 --> 0:13:43.100000
 Now I could set additional
 options.

0:13:43.100000 --> 0:13:45.580000
 If I go there, I could
 set the start time.

0:13:45.580000 --> 0:13:54.180000
 I could set a few other options there,
 such as time out and other concurrent

0:13:54.180000 --> 0:13:56.080000
 tasks. Those are kind of standard.


0:13:56.080000 --> 0:13:59.240000
 But that gives me the policy.

0:13:59.240000 --> 0:14:03.920000
 So we're going to go ahead
 and create a policy.

0:14:03.920000 --> 0:14:06.420000
 All right. So now I have a policy.


0:14:06.420000 --> 0:14:11.360000
 The next thing that I want to do is
 I want to use that policy to create

0:14:11.360000 --> 0:14:16.680000
 a token. And I'm going to create a token
 that is going to work on a specific

0:14:16.680000 --> 0:14:22.000000
 file. I'm going to create
 a blob token.

0:14:22.000000 --> 0:14:28.940000
 And again, not going to make
 you watch me go through this.

0:14:28.940000 --> 0:14:33.260000
 But I've got a new AZ storage
 blob SAS token.

0:14:33.260000 --> 0:14:34.700000
 I specify the container.

0:14:34.700000 --> 0:14:37.620000
 I specify the blob that I
 wanted associated with.

0:14:37.620000 --> 0:14:44.280000
 And that's one of the blobs that
 I uploaded over here somewhere.

0:14:44.280000 --> 0:14:48.320000
 I need certified.

0:14:48.320000 --> 0:14:53.200000
 And then the policy
 and the context.

0:14:53.200000 --> 0:14:56.140000
 So the policy is the policy
 I just created.

0:14:56.140000 --> 0:15:02.960000
 And if I run this,
 there is my token.

0:15:02.960000 --> 0:15:07.980000
 If I've done this right, I'll
 use the right example.

0:15:07.980000 --> 0:15:13.740000
 Copy that. Go back here.

0:15:13.740000 --> 0:15:17.660000
 All right. So here was
 my I-NE certified.

0:15:17.660000 --> 0:15:19.860000
 I could not access.

0:15:19.860000 --> 0:15:26.860000
 But now if I put that token that I just
 generated, now it downloaded it.

0:15:26.860000 --> 0:15:29.240000
 And you can just see
 it popped up here.

0:15:29.240000 --> 0:15:32.220000
 I probably should have put this on
 another page so you can see that it

0:15:32.220000 --> 0:15:33.420000
 does download it.

0:15:33.420000 --> 0:15:39.880000
 We can always use another I
-NE certified person or logo.

0:15:39.880000 --> 0:15:43.120000
 Oh, and here we go.

0:15:43.120000 --> 0:15:45.320000
 It's going to be useful
 if I actually attach.

0:15:45.320000 --> 0:15:48.000000
 That sort of killed
 the whole concept.

0:15:48.000000 --> 0:15:58.140000
 Copy. Paste. And let's
 try that again.

0:15:58.140000 --> 0:16:01.380000
 There you go. Well, at least now you
 can see that it downloaded copy seven

0:16:01.380000 --> 0:16:04.500000
 of the particular file.

0:16:04.500000 --> 0:16:10.000000
 And that's really the way you use SAS,
 either directly or via policy.

0:16:10.000000 --> 0:16:13.100000
 Now, it so happened that I use the
 SAS directly programmatically.

0:16:13.100000 --> 0:16:17.700000
 And I used a policy through
 the scripting environment.

0:16:17.700000 --> 0:16:22.000000
 But honestly, that's just a matter of
 wanting to show you different options.

0:16:22.000000 --> 0:16:24.060000
 There's not limited one
 way or the other.

0:16:24.060000 --> 0:16:26.340000
 You have a lot of functionality
 with SAS tokens.

0:16:26.340000 --> 0:16:29.520000
 And it's definitely something that you
 want to keep in mind when you're

0:16:29.520000 --> 0:16:34.920000
 architecting any solutions that involve
 access to your storage accounts.