none
Azure Blob Storage Access Keys permissions seem to be downgraded when an SAS is generated on the same account. RRS feed

  • Question

  • We have an Azure Blob storage container which is access through Access Key pair (userame/password).  We recently discovered that although Access Key access allows the listing and viewing of files, we get a permissions error when trying to download files (looking for shared access credentials)

    Question 1:

    Is this behavior normal?  We were under the impression that Access Keys were full permissions. 

    Question 2:

    The only thing different we can see is that we generated an SAS url for another purpose for that storage.  Does generating an SAS change the permissions somehow?  Where is there documentation on this if so?

    Friday, September 13, 2019 4:59 PM

All replies

  • Hi,

    Access Keys are global admin access over the storage account and are not a username and password (it is a long encrypted key value).

    Can you give an edited example of what you are using as it does not sound like storage keys.

    Access keys look like KvZWbb+Pnuy7t8tXJa12Ya/qFWYhuyuy8868686ZiTHafqjGbPQW606XSoJe9tiIPQ==

    SAS is more granular permissions but they have an expiration date.  

    What is this used for....is it by an app or end user?  App could do with storage keys, users are SAS tokens.

    Thanks,

    Matt

    Saturday, September 14, 2019 7:33 PM
  • Thanks Matt.  Yes, we understand the difference between the two and have been using both over the last few years.  We recently ran into an odd problem which is descriibed in the initial post

    We recently discovered that although Access Key access allows the listing and viewing of files, we get a permissions error when trying to download files (looking for shared access credentials)

    From our testing it appears that once we generated an SAS for the account, the access key access somehow stopped working for download.  The question is "Does generating an SAS change the permissions [of the Access Key] somehow?  Where is there documentation on this if so?"

    Monday, September 16, 2019 4:21 AM
  • Hi,

    No, generating a SAS does not affect the key in any way.  In fact, the SAS will stop working if the key changes as every SAS token is signed by one of the keys.

    So there is something else going on there...

    Monday, September 16, 2019 2:58 PM
  • Thank you.  We just needed to rule that out.  We've got quite a tricky situation here which is making less sense the more we find out about it :)  Thanks for taking the time to answer.
    Monday, September 16, 2019 5:25 PM
  • @ArtistShare Just checking are you still facing any issue on the above mentioned, If so please reply back. 
    Tuesday, September 17, 2019 7:08 AM
    Moderator