Based on my understanding, Shared Access Signature (SAS) is used in any situation where you don’t want to give away your storage account key, primary or secondary (full administrative access).

However, Access Key is used when Azure role is assigned to an Azure AD security principal.

Could you please provide some real world examples or scenarios which are using SAS and Access Key ?

Thank you for your help.

CodePudding user response：

Say you have a website that allows users to upload files. You could create an api that takes the file and put in on a storage account or you can allow the client to upload the file directly to the storage account. In order to do that the api generates and returns a SAS token that allows write access for a short period of time to the storage account. This way the api doesn't need bandwith to cater for large file uploads and the access to the storage account is based on the principle of least privilege

Another scenario is to facilitate the download of a file for a limited amount of time. For example, an expense report is generated and available for download. The api generates a url to the storage account including a SAS token that gives read permission to a certain blob for a short period of time.

The use of Access Keys should be avoided, use managed identities so there is no need for access keys that have to be put in the configuration somehow and needs to be protected.

By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.

Now, if you have an api or azure function or whatever backend process that needs access to a storage account you can use a managed identity and assign that identity permissions based on the principle of least privilege.