Task: Access Storage Content

Video: Shared Access Signatures

Estimated time: 30 minutes

Goal

In this task you will implement a shared access signature for a blob file. First you will provision a storage account and a private blob container. Then you will upload a file to the container. Next you will define an access policy for the container. Finally you will generate a shared access signature for the file and verify file access.

Pre-requisites

Azure subscription
A file (any file, but nothing sensitive)

Requirements

Provision a storage account and a blob container
Upload a file to the container
Define an access policy for the container
Use a SAS for blob access

Requirement 1: Provision a storage account and a blob container

You will begin by provisioning a storage account and a blob container. Use the following settings:

Storage account:

Setting	Value
Resource group	task-storage-access
Name	<unique name>
Performance	Standard
Account kind	StorageV2
Replication	LRS
Access tier	Hot
Security	Enabled
Data protection	Disabled

Container:

Setting	Value
Name	secure
Public access level	Private

Requirement 2: Upload a file to the container

Upload a file to the secure container. There really isn't much else to say on this one.

Requirement 3: Define an access policy for the container

Define a storage access policy for the secure container. Use the following settings:

Setting	Value
Name	task-policy
Permissions	Read, List
Expiration	<one week from now>

Requirement 4: Use a SAS for blob access

Create a SAS for the blob file that you uploaded in requirement 2 based on the task-policy policy. Use the SAS with the url of the file to download it from a browser tab. Follow these steps to complete this requirement:

Open a bash cloud shell session
Use the Azure CLI to retrieve the keys of your storage account.
Use the Azure CLI to generate a blob SAS for the file using the task-policy policy. Copy the SAS for later use.
Open a new browser tab and attempt to open the blob file directly using its URI. The URI can be viewed in the portal or retrieved using the Azure CLI. This should fail.
Append the SAS to the blob file URI preceded by a "?". This will add the SAS as a querystring to the blob URI. Attempt to retrieve the blob file with this combination of URI and SAS. This should work.

Clean up

Delete the task-storage-access resource group.

Solution

Having trouble completing this task? View the demonstration video to see how to do it.