Lab
A Cloud Guru

Limit Access to Azure Storage Account Using SAS URI

In this lab, you will have an opportunity to create a SAS token for access to an Azure Storage account and then test the SAS-based access by working with the storage account from a separate environment. Students with at least some Azure experience will have the best opportunity to complete the lab without assistance, but the lab guide and solution videos provide a full walkthrough if you get stuck.

Try for free Contact sales

Path Info

Level

Beginner

Duration

30m

Published

Oct 09, 2020

Challenge

Prepare Testing Environment
At the beginning of this objective, you should be logged in to the Azure portal and on the overview page for the resource group provisioned with the lab environment.

In this objective, you will prepare your testing environment by launching Azure Storage Explorer on a VM and uploading a couple of files to an Azure Storage account.
1. Select the VM provisioned in the resource group, and connect to it using RDP. You can ignore any warnings about port prerequisites or security certificates when connecting.
2. Once connected to the VM, it you are prompted to make your VM discoverable, click Yes. If one or more PowerShell or other windows open, close them.
3. Open the A**zure Storage Explorer **that is already installed
4. After Azure Storage Explorer completes initializing, choose Attach to a resource, and select to connect to a storage account, using a shared access signature URL (SAS). Do not use a connection string.
5. Leave the Connection Info dialog open and minimize the VM window, but do not log out of the VM.
6. Prepare two small text files locally to upload to Blob storage.
7. Return to the resource group overview page in the portal, and navigate to the storage account with the name that starts with pslab, followed by a few random characters.
8. Create a new container in the storage account, and upload the two files you prepared.
Challenge

Create and Test a SAS Token
In this objective, you will enable the storage account to allow the use of SAS tokens, generate a token, and use the SAS URL in Azure Storage Explorer (in the VM) to connect to the storage account and test the permissions expressed in the SAS token.
1. Go to Configuration on the storage account and enable the use of SAS tokens.
  
  Hint: You need to allow access to the account using keys in order to make use of SAS tokens.
2. Create a shared access signature on the storage account with the following properties:
  - Only blob for allowed services.
  - Allow all three resource types.
  - Enable only read and list permissions.
  - Ensure the only allowed protocol is HTTPS.
  - Leave all other properties not mentioned as their defaults.
3. Use the Blob service SAS URL to connect to the storage account from Azure Storage Explorer on the VM, and check that you can navigate to the container you created and the blobs you uploaded.
4. Test to ensure that only read and list operations are allowed. For example, you should not be able to add a new blob or delete an existing one.

Author

A Cloud Guru

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.