Shared access signature correct way to share documents - Microsoft Q&A (2024)

*anonymous user* Though not a recommended practice, it is possible to create a SAS which never expires. To achieve this, you don’t specify the expiry date when creating SAS. In the earlier version of storage service, only revocable SAS can be never expiring, and anonymous SAS are only valid for 1-hour duration. However, with the latest version of storage service, it is possible to create never expiring anonymous SAS.
https://stackoverflow.com/questions/52547152/default-start-time-and-expiry-time-for-an-account-level-sas-token

There are two ways to set expiry on SAS. The first is to build it into the SAS token itself. Then the only way to check expiry is to inspect the se= parameter of the token. You could maintain a list of known SAS tokens and alert based on the expiry.

The second way to set expiry is to set it in a stored policy on a container. Then the SAS token would reference it using.

See Also
Get expiration date for all SAS on a Azure storage account

​You can check the expiry in that case using the Get Container ACL API (sometimes called GetPermissions).

​You would need to check each container that may contain a policy and alert based on the time set in the policy.

If you want to know if your account-level SAS is expired or expiring of , based on this doc , you can just check the SignedExpiry param. in SAS , its name is se.

https://learn.microsoft.com/en-us/rest/api/storageservices/create-account-sas#specifying-account-sas-parameters

When you use shared access signatures in your applications, you need to be aware of two potential risks:

  • If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
  • If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

You may create some application to save the expiry date every time you create one SAS, and with this you may have some alters from that application, but Azure don’t support this feature.

Additional information: Have clients automatically renew the SAS if necessary. Clients should renew the SAS well before the expiration, in order to allow time for retries if the service providing the SAS is unavailable. If your SAS is meant to be used for a small number of immediate, short-lived operations that are expected to be completed within the expiration period, then this may be unnecessary as the SAS is not expected to be renewed. However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that the client is requesting renewal early enough (to avoid disruption due to the SAS expiring prior to successful renewal).

Best practices when using SAS: https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#best-practices-when-using-sas

Lifetime and revocation of a shared access signature

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Shared access signature correct way to share documents - Microsoft Q&A (2024)

FAQs

What is the recommended best practices of a shared access signature is compromised? ›

You can use a shared access signature (SAS) to delegate access to resources in your Azure Storage account. A SAS token includes the targeted resource, the permissions granted, and the interval over which access is permitted. Best practices recommend that you limit the interval for a SAS in case it's compromised.

Read On
What is the most important thing to consider when using shared access signatures? ›

Share Access Signatures protect your account keys.

If an SAS is exposed, you can terminate it without impacting other signatures or other account keys. However, if your account key were to be compromised, all Shared Access Signatures and other applications using that account key will need to be reset.

Discover More Details
What are the two types of shared access signatures? ›

There are two types of SAS: service-level SAS and account-level SAS. 1. Service-level SAS: This type of SAS grants access to a specific resource, such as a file or a blob, and has a limited scope.

Continue Reading
What is one reason to use a shared access signature instead of an account key? ›

You can provide a shared access signature to clients who shouldn't be trusted with your storage account key but who need access to certain storage account resources. By distributing a SAS URI to these clients, you can grant them access to a resource for a specified period of time, with a specified set of permissions.

See Details
What are the potential risks of using shared access signature SAS? ›

If a SAS token gets into the wrong hands, the perpetrator can have prolonged or even indefinite access to your resources, potentially leading to data breaches, unauthorized transactions, or other forms of cybercrime.

Find Out More
How do you ensure that shared access signature tokens are allowed only over https? ›

Identify the communication protocol used for the verified token, defined as value for the spr parameter, for example spr=https,http. If the spr parameter is not set to HTTPS only (i.e. spr=https), the selected Shared Access Signature (SAS) token's configuration is not compliant.

Tell Me More
What is the difference between shared access signature and stored access policy? ›

A stored access policy provides an additional level of control over service-level shared access signatures (SASs) on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy.

Show Me More
What is shared signature? ›

A shared access signature is a token that is appended to the URI for an Azure Storage resource. The token that contains a special set of query parameters that indicate how the resources may be accessed by the client.

Explore More
What are the resource types allowed in Azure shared access signature? ›

Resource types: SAS can be generated for different types of Azure Storage resources, including blobs, files, queues, and tables. You can create SAS tokens at the container or individual resource level.

Continue Reading
How do you revoke a shared access signature? ›

If no stored access policy is specified, the only way to revoke a shared access signature is to change the account key. We recommend that you always use stored access policies. When using stored policies, you can either revoke signatures or extend the expiry date as needed.

Show Me More

What is Docusign shared access? ›

Shared access is a way to grant users permission to send, edit, or manage envelopes on another user's behalf.

Read The Full Story
What is the difference between shared access signature and shared access token? ›

A shared access signature is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client.

See Details
What is signature access? ›

Signature Access provides Lifestyle Advisory services for the most affluent families.

Get More Info Here
How do you safeguard a digital signature? ›

Implementing two-factor authentication

Two-factor authentication is an extra layer of security that requires a user to provide two forms of verification before accessing a system. Implementing this measure can help prevent unauthorized access and protect your digital signatures. This makes a digital signature secure.

Continue Reading
What helps to secure confidential data by digital signature? ›

Digital signatures work through public key cryptography's two mutually authenticating cryptographic keys. For encryption and decryption, the person who creates the digital signature uses a private key to encrypt signature-related data. The only way to decrypt that data is with the signer's public key.

View More
How should you stop the compromised SAS token from being used? ›

If User-Delegation SAS tokens are compromised, the revoke-delegation-keys command revokes all of the user delegation keys associated with the specified storage account.

View Details
Top Articles
7 Steps To Recovering From Narcissistic Financial Abuse
Got Lousy Credit? 10 Places Where It Won't Stop You From Buying a Home
Everything You Need to Know About Wild West Fest 2023
Kendrick Lamar’s 12 Best Drake Diss Lyrics From ‘Euphoria’
Latest Posts
Retirement Income Beliefs and Financial Advice Seeking Behaviors
How to Teach Kids About Money - Penny Pinchin' Mom
Article information

Author: Carlyn Walter

Last Updated:

Views: 5906

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Carlyn Walter

Birthday: 1996-01-03

Address: Suite 452 40815 Denyse Extensions, Sengermouth, OR 42374

Phone: +8501809515404

Job: Manufacturing Technician

Hobby: Table tennis, Archery, Vacation, Metal detecting, Yo-yoing, Crocheting, Creative writing

Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.