Wikis work best in environments where you’re comfortable delegating control to the users of the system. ~ Howard G. Cunningham
SAS tokens provide limited access to resources in a storage account. We can specify resources clients can access, permissions they can have, and the duration of the access. It also restricts access to specific IP addresses.
Types of SAS tokens —
User Delegation SAS — It is signed with Azure AD Credentials of user/service principal instead of Azure storage keys. Necessary roles need to be assigned to a user to enable this.
Service SAS — Service SAS delegates access to resources in only one Azure storage service — Blob, Queue, Table, Files. These types of SAS tokens are secured by a storage account key.
Account SAS — This type of SAS is secured by storage account keys too. Account SAS delegates access to resources in one or more storage servers.
Why User Delegation SAS?
User delegation SAS is secured with Azure AD credentials instead of storage account keys. This prevents clients/applications from storing/retrieving storage keys to create SAS. Hence its considered more secure and also a best practice recommended by Microsoft.
How is User delegation SAS created?
- User logins in with Azure AD credentials.
- On successful Authentication, an OAuth token is returned.
