Whenever I generated a SAS key for allowing access to a storage I have always wondered what all the different parts actually mean, today I found out.
(Source: MS Learn I added some information)
Lets look at this generated key: https://myaccount.blob.core.windows.net/?restype=service&comp=properties&sv=2021-06-08&ss=bf&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&srt=s&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https&sig=F%6GRVAZ5Cdj2Pw4tgU7IlSTkWgn7bUkkAg8P6HESXwmf%4B
| Parameter | Example | Description |
|---|---|---|
| Resource URI | https://myaccount.blob.core.windows.net/?restype=service&comp=properties |
Defines the Azure Storage endpoint and other parameters. This example defines an endpoint for Blob Storage and indicates that the SAS applies to service-level operations. When the URI is used with GET, the Storage properties are retrieved. When the URI is used with SET, the Storage properties are configured |
| Storage version | sv=2015-04-05 |
For Azure Storage version 2012-02-12 and later, this parameter indicates the version to use. This example indicates that version 2015-04-05 (April 5, 2015) should be used. |
| Storage service | ss=bf |
Specifies the Azure Storage to which the SAS applies. This example indicates that the SAS applies to Blob Storage (b) and Azure Files (f). Also available are Queue (q) and Table (t) |
| Start time | st=2015-04-29T22%3A18%3A26Z |
(Optional) Specifies the start time for the SAS in UTC time. This example sets the start time as April 29, 2015 22:18:26 UTC. If you want the SAS to be valid immediately, omit the start time. |
| Expiry time | se=2015-04-30T02%3A23%3A26Z |
Specifies the expiration time for the SAS in UTC time. This example sets the expiry time as April 30, 2015 02:23:26 UTC. |
| Allowed resource type | srt=s |
Specifies which resource types are accessible via the SAS. This example specifies that the accessible resource is in Blob Storage. Service (s), Container (c) and Object (o). |
| Permissions | sp=rw |
Lists the permissions to grant. This example grants access to read (r) and write (w) operations. |
| IP range | sip=168.1.5.60-168.1.5.70 |
Specifies a range of IP addresses from which a request is accepted. This example defines the IP address range 168.1.5.60 through 168.1.5.70. |
| Protocol | spr=https |
Specifies the protocols from which Azure Storage accepts the SAS. This example indicates that only requests by using HTTPS are accepted, and why should you accept anything else? |
| Signature | sig=F%6GRVAZ5Cdj2Pw4tgU7IlSTkWgn7bUkkAg8P6HESXwmf%4B |
Specifies that access to the resource is authenticated by using an HMAC signature. The signature is computed over a string-to-sign with a key by using the SHA256 algorithm, and encoded by using Base64 encoding. |
Since permissions (sp) is a little more complex I listed them in a separate table.
| Allowed persmission | Description |
|---|---|
| r | Read |
| w | Write |
| d | Delete |
| l | List |
| a | Add |
| c | Create |
| u | Update |
| p | Process |
| i | Immutable storage |
| y | Permanently delete |
| x | Enable deletion of versions |
| t | Read/Write blob index |
| f | Filter Blog index |
Now I can finally decrypt a signature to find out which access rights have been assigned.