Restrict Shared Access Signatures with Azure Stored Access Policy

Security is not a product but a process ~Bruce Schneier

What is a stored access policy?

Let’s start with, why do need a stored access policy in the first place. We can give access to storage accounts by sharing keys directly. But this gives full access to all the services in that storage account.

We can try to provision a more granular level of access on a service level and specific permissions with shared access signatures or SAS. These SAS keys are signed by storage account keys(with exception of user delegation SAS). By any chance, if these SAS keys are compromised, we can only stop further access by regenerating our storage account keys, which is an expensive thing to do. These storage account keys could already be used in other applications/services.

In order to avoid the pain, Azure came up with stored access policies and enabled SAS keys to be created based on these policies instead. Stored access policies can be set up with a start and expiry dates and/or selective permissions(read, list, write delete, etc.). Now, if the SAS keys are compromised anytime in the future, we can remove the permissions or update expiry time in the past or can permanently delete the stored access policy altogether. This prevents regenerating storage account keys.

TL;DR

Stored access policies provide an additional layer of control over SAS signatures.