Azure Sas Token Best Practices for Secure Data Access

Azure SAS tokens are a powerful tool for securely accessing Azure storage resources, but they require careful management to avoid security risks.

To minimize the risk of unauthorized access, it's essential to limit the scope of the SAS token to the specific resource it's intended for.

A well-structured SAS token should include a valid start and end date to prevent it from being used indefinitely.

This helps prevent accidental exposure of sensitive data, as an expired token won't grant access to unauthorized users.

To generate a SAS token, you'll need to log into the Azure portal and navigate to your storage account's Security + networking section. From there, choose Shared access signature.

You'll need to select the Allowed services, Allowed resource types, and Allowed permissions, which include Write, Add, Create, and PermanentDelete if you plan to unload files. Be sure to specify start and expiry dates for the SAS token, as part of a general security plan.

When generating the SAS token, leave the Allowed IP addresses field blank and choose either HTTPS only or HTTPS and HTTP under Allowed protocols. Record the full value in the SAS token field, starting with and including the ?, as this is your SAS token that you'll use when creating an external stage.

To generate a SAS token, you'll need to log into the Azure portal. From the home dashboard, choose Storage Accounts and navigate to the Shared access signature section under Security + networking.

You'll then need to select the Allowed services, which should include the services you want to grant access to. Make sure to also select the Allowed resource types, which in this case are the data files you want to load from Azure resources.

The Write, Add, and Create permissions are required to load data files, and if you plan to unload files to a container, you'll also need the PermanentDelete permission. This is in addition to the PermanentDelete permission required for the PURGE=TRUE option.

Specify the start and expiry dates/times for the SAS token, and leave the Allowed IP addresses field blank. You can choose either HTTPS only or HTTPS and HTTP under Allowed protocols.

Here's a quick rundown of the permissions you'll need:

Click the Generate SAS and connection string button, and record the full value in the SAS token field, starting with and including the ?. This is your SAS token, which you'll specify when you create an external stage.

Generating SAS tokens is a straightforward process, but understanding how they work is essential for effective use.

A SAS token is appended to a URI that points to a storage resource, and it includes a special set of query parameters.

One of these parameters is a signature, which is created using the SAS parameters and signed with the key used to create the SAS.

This signature is used by Azure Storage to authorize access to the storage resource, making sure that only authorized users can access the data.

The key used to create the SAS is essential for generating the signature, so it's crucial to keep it secure and safe from unauthorized access.

User Delegation is a powerful feature in Azure SAS tokens that allows applications to issue their own SAS tokens, offering more granular and secure access controls.

This is in contrast to the standard SAS tokens, which are issued by the storage account's access keys. User Delegation SAS tokens enable applications to define permissions tailored to each user or scenario without relying on the storage account's access keys.

To create a User Delegation SAS token, an application must first obtain a user delegation key. This key is obtained using the application's managed identity and Entra ID.

The application can then use this key to create a new User Delegation SAS token. The token will have a specific format, which includes details such as the start time, expiration time, and permissions.

Here are the roles required for an application to obtain a user delegation key:

These roles should be scoped to the storage account, resource group, or subscription level. Additionally, the application must possess RBAC permissions to interact with specific resources within the storage account.

User Delegation SAS tokens offer several benefits, including key management, limited lifetime, enhanced auditing, principle of least privilege, access limitation, and security against key leakage.

You can configure access to Azure Storage using various methods, including Azure Role-Based Access Control (RBAC) and Shared Access Signatures (SAS). Each method has its use case, security level, and limitations.

To grant access to users outside of Azure, you can use SAS tokens, which allow you to specify which resources can be accessed, what actions can be taken, and how long the permissions should be valid.

To create a SAS token, you need to select the resource, specify the desired access level and expiration date, and then Azure will generate a token that can be appended to the resource URL. This token is signed using one of the two access keys associated with the storage account.

Here are the steps to create a SAS token:

To access Azure Data Lake Storage Gen2 or Blob Storage, you can use OAuth 2.0 with a Microsoft Entra ID service principal, Shared access signatures (SAS), or Account keys. Databricks recommends using secret scopes for storing all credentials.

You'll want to use a SAS token when you need to provide secure access to resources in your storage account to a client who doesn't have permissions to those resources.

SAS tokens are perfect for scenarios where users read and write their own data to your storage account, such as when a client application needs to upload and download data directly without going through a front-end proxy service.

A lightweight service can authenticate the client as needed and generate a SAS, which defines the access permissions and interval for which they are allowed, reducing the need for routing all data through the front-end proxy service.

You can also use a SAS to authorize access to the source object in a copy operation, such as when copying a blob to another blob in a different storage account.

Here are some common use cases for SAS tokens:

By using a SAS token, you can ensure secure access to your storage account resources while maintaining control over who has access and for how long.

To access Azure Storage accounts, you have various methods to choose from, each with its own use case, security level, and limitations. You can use anonymous access, Azure Role-Based Access Control (RBAC), or more advanced approaches like user-delegated SAS tokens.

Azure offers various methods to secure, manage, and grant access to storage accounts, from anonymous access to more advanced approaches like Azure Role-Based Access Control (RBAC). Each method has its use case, security level, and limitations. You can use spark.conf.set in notebooks to set Spark properties, configuring Azure credentials to access Azure storage.

To connect to Azure Data Lake Storage Gen2 or Blob Storage, you can use OAuth 2.0 with a Microsoft Entra ID service principal, Shared access signatures (SAS), or Account keys. Databricks recommends using secret scopes for storing all credentials.

You can use storage SAS tokens to access Azure storage, restricting access to a storage account using temporary tokens with fine-grained access control. To view an account's access keys, you must have the Owner, Contributor, or Storage Account Key Operator Service role on the storage account.

To create a secret scope, see Secret scopes. A secret scope allows you to grant users, service principals, and groups in your workspace access to read the secret scope, protecting the Azure credentials while allowing users to access Azure storage.

Here are the different types of access control methods:

Note that each method has its own use case, security level, and limitations.

Azure SAS token authentication offers three methods: Access Key, Azure Active Directory, and SAS Token. The Access Key method can be used directly or in combination with an Azure AD principal.

To use the Access Key method directly, you must generate one for your state file blob and specify it in the backend configuration. If neither an access key or client ID is specified, Terraform will attempt to use Azure CLI.

The Azure Active Directory method requires setting the use_azuread_auth variable to true in your backend configuration. This will cause the backend to use the Access Token of the Azure AD principal to authenticate to the state file blob.

Here are the authentication scenarios supported by the azurerm backend:

Authentication is a crucial aspect of connecting to a storage account in Azure. There are three methods of authenticating to the storage account: Access Key, Azure Active Directory, and SAS Token.

The Access Key method can be used directly by specifying the access key, or in combination with an Azure AD principal. To use an Access Key directly, you must generate one for your state file blob and specify it in the backend configuration. If neither an access key or client ID is specified, Terraform will attempt to use Azure CLI.

Azure Active Directory authentication can only be used in combination with an Azure AD principal. To use the Azure Active Directory method, you must set the use_azuread_auth variable to true in your backend configuration.

SAS Token authentication can only be used directly, and you must generate a SAS Token for your state file blob and pass it to the backend config.

Here are the supported authentication scenarios and their minimum required configuration:

Sensitive values should not be hardcoded into your configuration. Instead, they should be specified using environment variables or partial configuration flags in the init command of Terraform CLI.

Authorization is a crucial aspect of securing your Azure resources. It refers to the process of controlling access to your resources, ensuring that only authorized users or applications can access them.

A SAS token, also known as a Shared Access Signature token, is a type of authorization mechanism used in Azure services. It grants limited and time-limited access to specified resources or operations.

To generate a SAS token, you define the permissions and restrictions for the token, specifying what operations can be performed and the duration of the token's validity. This allows you to grant temporary access to clients or applications without sharing your account's primary access keys or credentials.

SAS tokens are generated using your account's access key and the specified permissions and restrictions. The token includes a signature, start and expiry time, and any additional parameters you define.

By providing a client or application with a SAS token, you enable them to access the designated resources or perform specific operations within the authorized time frame. Once the token expires, the access is no longer valid, and the client or application would need a new token to access the resources again.

SAS tokens offer a secure and controlled way to delegate limited access to Azure resources, ensuring fine-grained access control and minimizing the exposure of sensitive account credentials.