SAS Tokens

🎯 Lab Objective

In this hands-on lab, you will learn how to:

• Understand Shared Access Signature (SAS) tokens and their security benefits
• Create different types of SAS tokens (Account, Service, and User Delegation)
• Configure SAS permissions and expiration times for secure access control
• Test SAS token functionality from different clients and scenarios
• Implement time-based access control using SAS token expiration
• Troubleshoot SAS token issues and understand security implications

Scenario: Your organization needs to provide temporary, secure access to Azure Storage resources for external partners and applications without sharing storage account keys. You’ll create and manage SAS tokens with different permission levels and expiration times.

---

🏗️ Pre-Provisioned Environment

The following Azure resources have been pre-deployed in your environment:

Resource Overview

Resource Type	Resource Name	Configuration	Purpose
Resource Group	SASTokens-Lab-RG	Contains all lab resources	Logical container
Storage Account	sastokenlab[unique]	General Purpose v2	Primary storage resource
Blob Container	documents	Private access level	Document storage
Blob Container	images	Private access level	Image storage
Blob Container	public-data	Private access level	Publicly accessible data
Test VM	ClientVM	Windows Server 2019	SAS token testing client
Sample Files	Various	Pre-uploaded content	Test data for SAS operations

Storage Structure

sastokenlab[unique] (Storage Account)
├── documents (Container)
│   ├── report.pdf
│   ├── contract.docx
│   └── presentation.pptx
├── images (Container)
│   ├── logo.png
│   ├── banner.jpg
│   └── profile.gif
└── public-data (Container)
    ├── readme.txt
    ├── changelog.md
    └── license.txt

VM Details

VM	Private IP	Operating System	Purpose
ClientVM	10.0.1.4	Windows Server 2019	Test SAS token access scenarios

---

🚀 Lab Exercises

Part 1: Explore Storage Account and Containers

Step 1: Navigate to Storage Account

1. Navigate to SASTokens-Lab-RG resource group
2. Click on the Storage Account (sastokenlab[unique])
3. In the left menu, click Containers
4. Explore the containers: documents, images, public-data

Step 2: View Container Contents

1. Click on documents container
2. Observe the files: report.pdf, contract.docx, presentation.pptx
3. Try to access a file directly:
   • Click on report.pdf
   • Click Generate SAS (we’ll use this later)
   • For now, note that direct access requires authentication

Step 3: Test Unauthenticated Access

1. Copy the blob URL for report.pdf
2. Open a new incognito/private browser window
3. Paste the URL and try to access
4. Expected Result: ❌ Access should be denied (403 Forbidden)

---

Part 2: Create Account-Level SAS Token

Step 1: Generate Account SAS

1. In your storage account, go to Security + networking → Shared access signature
2. Configure Account SAS settings:

Setting	Value	Purpose
Allowed services	✅ Blob, ✅ File, ✅ Queue, ✅ Table	All services
Allowed resource types	✅ Service, ✅ Container, ✅ Object	All resource types
Allowed permissions	✅ Read, ✅ Write, ✅ Delete, ✅ List	Full permissions
Start time	Current time	Immediate access
Expiry time	+24 hours	Valid for 24 hours
Allowed IP addresses	Leave empty	No IP restrictions
Allowed protocols	HTTPS only	Secure transport

3. Click Generate SAS and connection string

Step 2: Copy SAS Token Information

Save the following information:

• SAS token: Copy the full token string (starts with ?sv=)
• Blob service SAS URL: Copy the complete URL
• Connection string: Copy for programmatic access

Step 3: Test Account SAS Token

1. Manual URL test:
   • Take the report.pdf URL from earlier
   • Append the SAS token: https://sastokenlab[unique].blob.core.windows.net/documents/report.pdf[SAS-TOKEN]
   • Open in incognito browser window
   • Expected Result: ✅ File should download successfully

---

Part 3: Create Container-Level SAS Token

Step 1: Generate Container SAS

1. Navigate to Containers → images
2. Click the … menu → Generate SAS
3. Configure Container SAS settings:

Setting	Value	Purpose
Permissions	✅ Read, ✅ List	Read-only access
Start time	Current time	Immediate access
Expiry time	+2 hours	Short-term access
Allowed IP addresses	Leave empty	No IP restrictions
Allowed protocols	HTTPS only	Secure transport

4. Click Generate SAS token and URL

Step 2: Test Container SAS

1. Copy the Blob SAS URL
2. Test in incognito browser: Should show XML listing of container contents
3. Test individual file access:
   • Manually construct URL: https://sastokenlab[unique].blob.core.windows.net/images/logo.png[CONTAINER-SAS-TOKEN]
   • Expected Result: ✅ Should download the image file

---

Part 4: Create Blob-Level SAS Token

Step 1: Generate Blob SAS

1. Navigate to documents container
2. Click on contract.docx
3. Click Generate SAS
4. Configure Blob SAS settings:

Setting	Value	Purpose
Permissions	✅ Read only	Read-only access
Start time	Current time	Immediate access
Expiry time	+1 hour	Very short-term access
Allowed IP addresses	Leave empty	No IP restrictions
Allowed protocols	HTTPS only	Secure transport

5. Click Generate SAS token and URL

Step 2: Test Blob SAS Specificity

1. Test the generated URL: Should download contract.docx
2. Try to modify URL for different file:
   • Change contract.docx to report.pdf in the URL
   • Keep the same SAS token
   • Expected Result: ❌ Should fail (SAS is blob-specific)

---

Part 5: Test from Client VM

Step 1: Connect to Client VM

1. Navigate to ClientVM
2. Click Connect → RDP
3. Use credentials:
   • Username: azureuser
   • Password: LabPassword123!

Step 2: Test SAS Tokens with PowerShell

From ClientVM, open PowerShell and test:

# Test Account SAS token
$accountSASUrl = "https://sastokenlab[unique].blob.core.windows.net/documents/report.pdf?[ACCOUNT-SAS-TOKEN]"
try {
    Invoke-WebRequest -Uri $accountSASUrl -OutFile "C:\temp\report.pdf"
    Write-Host "✅ Account SAS: Successfully downloaded report.pdf"
    Get-Item "C:\temp\report.pdf"
} catch {
    Write-Host "❌ Account SAS failed: $($_.Exception.Message)"
}

# Test Container SAS token
$containerSASUrl = "https://sastokenlab[unique].blob.core.windows.net/images?[CONTAINER-SAS-TOKEN]&restype=container&comp=list"
try {
    $response = Invoke-WebRequest -Uri $containerSASUrl
    Write-Host "✅ Container SAS: Successfully listed container contents"
    $response.Content
} catch {
    Write-Host "❌ Container SAS failed: $($_.Exception.Message)"
}

# Test Blob SAS token
$blobSASUrl = "https://sastokenlab[unique].blob.core.windows.net/documents/contract.docx?[BLOB-SAS-TOKEN]"
try {
    Invoke-WebRequest -Uri $blobSASUrl -OutFile "C:\temp\contract.docx"
    Write-Host "✅ Blob SAS: Successfully downloaded contract.docx"
} catch {
    Write-Host "❌ Blob SAS failed: $($_.Exception.Message)"
}

Step 3: Test Different Operations

# Try to upload with read-only SAS (should fail)
$readOnlySAS = "[BLOB-SAS-TOKEN-READ-ONLY]"
$uploadUrl = "https://sastokenlab[unique].blob.core.windows.net/documents/newfile.txt?$readOnlySAS"

try {
    Invoke-WebRequest -Uri $uploadUrl -Method PUT -Body "Test content" -Headers @{"x-ms-blob-type"="BlockBlob"}
    Write-Host "✅ Upload succeeded (unexpected)"
} catch {
    Write-Host "❌ Upload blocked by read-only SAS (expected behavior)"
}

---

Part 6: Time-Based Access Control

Step 1: Create Short-Term SAS

1. Go back to documents container
2. Click on presentation.pptx
3. Generate SAS with 1 minute expiry:

Setting	Value
Permissions	Read only
Expiry time	+1 minute

4. Copy the SAS URL

Step 2: Test Time Expiration

1. Immediately test the URL - should work
2. Wait 2 minutes
3. Test again - should fail with authentication error
4. Expected behavior:
   • ✅ Before expiry: File downloads successfully
   • ❌ After expiry: 403 Forbidden error

---

Part 7: Advanced SAS Configuration

Step 1: Create SAS with IP Restrictions

1. Get your current public IP address:

   • Go to https://whatismyipaddress.com/
   • Copy your IP address

2. Generate new container SAS for public-data:

Setting	Value	Purpose
Permissions	Read, List	Read access
Expiry time	+4 hours	Extended access
Allowed IP addresses	Your public IP	IP restriction

3. Test from different locations:
   • ✅ From your IP: Should work
   • ❌ From different IP: Should be blocked

Step 2: Create SAS with Custom Permissions

1. Generate Account SAS with limited permissions:

Setting	Value	Purpose
Allowed services	✅ Blob only	Blob service only
Allowed resource types	✅ Object only	Files only, no containers
Allowed permissions	✅ Read only	Read-only access
Expiry time	+12 hours	Half-day access

2. Test limitations:
   • ✅ Can access individual blobs
   • ❌ Cannot list containers
   • ❌ Cannot write/delete

---

🔧 Troubleshooting Guide

Common SAS Token Issues

Issue	Symptoms	Possible Cause	Solution
403 Forbidden	Access denied error	SAS expired or invalid	Generate new SAS token
404 Not Found	Resource not found	Wrong resource path in SAS	Verify blob/container path
Signature mismatch	Authentication failed	URL encoding issues	Use proper URL encoding
IP forbidden	Access blocked	Request from non-allowed IP	Check IP restrictions
Time-related errors	Clock skew issues	Client time mismatch	Check system time

SAS Token Validation

Check	Method	Expected Result
Token format	Verify starts with ?sv=	Valid SAS parameter string
Expiry time	Check se parameter	Future timestamp
Permissions	Check sp parameter	Required permission letters
Resource	Check sr parameter	Correct resource type

---

🧪 Additional Experiments

Try these optional exercises to deepen your understanding:

• User Delegation SAS: Create SAS using Azure AD credentials instead of account keys
• Stored Access Policies: Create reusable access policies for consistent SAS generation
• SAS with Azure CLI: Generate SAS tokens using command-line tools
• Application Integration: Use SAS tokens in web applications for secure file uploads
• Monitoring: Track SAS token usage in storage analytics logs

---

🎓 Key Takeaways

After completing this lab, you should understand:

• SAS tokens provide secure, temporary access to storage resources without sharing keys
• Different SAS types (Account, Service, User Delegation) offer varying scopes of access
• Time-based access control enables automatic expiration of access permissions
• Granular permissions allow precise control over allowed operations
• IP restrictions add an additional layer of network-based security
• SAS tokens are URL-safe and can be embedded in web applications
• Proper SAS management is crucial for maintaining storage security

---

📊 SAS Token Types Comparison

SAS Token Types

Type	Scope	Use Case	Security Level
Account SAS	Entire storage account	Admin operations, bulk access	High permissions
Service SAS	Specific service (Blob, File, etc.)	Service-specific access	Medium permissions
User Delegation SAS	Azure AD secured	Enterprise scenarios	Highest security

Permission Letters

• r = Read
• w = Write
• d = Delete
• l = List
• a = Add
• c = Create
• u = Update
• p = Process

---

📚 Additional Resources

• Shared Access Signatures (SAS) Overview
• Create SAS tokens
• User Delegation SAS
• SAS Security Best Practices