How to generate SAS Token to connect to Azure Storage Account - File Share?

Question

In order to connect to Azure Shared Storage(in particularly File Share) to perform tasks like copying/removing/modifying files from remote to azure storage, we need either SAS(Shared Access Signature) or Active Directory Settings Enabled (and then assign roles based on requirement).

I wanted to implement the access using SAS approach, I tried generating SAS from UI, tried generating SAS by making use of Access Keys(Present Inside Storage Account - Confidential and most important key for storage account) both worked. But UI approach isn't conducive in my case, and Access token can't be given to anyone apart from the administrator.

So is there a way to generate SAS using Azure AD credentials or some service where we can create an account and password/key and that account can be used to create SAS token via curl(REST call) and not generating SAS via access keys(admin key).

Do I get you right, that you want users to be able to create the appropriate SAS tokens for themselves without giving them full access to the whole storage account? — Manuel Batsching
yes , I want the user can write to only their folder or file share and not control storage account as a whole. — mozilla_firefox

Manuel Batsching Manuel Batsching · Accepted Answer · 2021-06-18T08:40:43

The tricky part is to let your users create a sas token for the file share without granting them permissions on the whole storage account.

You can use a middle tier application that creates the SAS token and allow the users to use that app. An azure function with an HTTP trigger can be used for example. You grant the azure function access to the storage account using a Managed Service Identity and secure the access to the Azure function either with Active Directory or a function key, that you distribute to your users.

How to generate SAS Token to connect to Azure Storage Account - File Share?

2 Answers