question

90954341 avatar image
0 Votes"
90954341 asked EndrizziMichaelJohn-3967 answered

How to manage sas token which has already been shared out?

Hi,

I'm an owner of an azure blob, and I have shared some sas token out for reason.

Now, I'm confused about how to manage these tokens.

Is there any way to get the history token list on azure portal or by writing script?
And I also want to know detail information about anyone on anytime access the blob in any ip address.

Thanks a lot.

azure-storage-accounts
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered 90954341 commented
  • It's not possible to audit the generation of SAS tokens. There's no way to list SAS tokens. The REST operations are misnamed (I will look into getting that corrected). These operations create a SAS token based on parameters that you pass in:https://github.com/MicrosoftDocs/azure-docs/issues/52756

  • If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.

  • It is not possible to get the list of SAS URLs because they are not stored anywhere in Azure Storage.

If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

To achieve this, you can use a lightweight service that authenticates the client and generates a SAS, which is securely distributed to the authorized users via https. The only way to minimize the exposure of leaked key is to shorten the duration of the expiration time.

Refer to this article in the recommendation section: https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/


List existing SAS token: With Powershell perhaps not, but Perhaps possible with the REST API: https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/listaccountsas

For the POST request, some of the request body parameters are REQUIRED to be filled which will need trial and error as you may not remember for what duration the SAS was allowed for. But provided all the values at https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/listaccountsas#request-body are somehow documented, then it should be programmatically possible to get the SAS token itself.

Is there a way to pull what SAS keys are being used to access a Storage Account?

You enabled Azure activity log which logs the management plane operations, for example, create a storage account, update property of a storage account. It doesn’t help you as you try to analyze the data requests to storage account. You should use Storage analytics logs: https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?toc=/azure/storage/blobs/toc.json

However, I don’t see the direct solution to figure out the actual SAS token and the mapping with SAS policy.

There are two upcoming features that might address general concerns on SAS. One is that we are adding hash of SAS in the new logging integration with Azure Monitor. Another is that we are going to add SAS expiry policy to warn when long expiry is longer than the configured time.


This SO thread gives information on which user has performed any action on your Azure storage account
Monitoring Azure Blob storage

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your detail answer, it helps me a lot.

0 Votes 0 ·
EndrizziMichaelJohn-3967 avatar image
0 Votes"
EndrizziMichaelJohn-3967 answered

Thanks for the detail. However I find it incredible that such a sensitive security event cannot be audited. Technology has been logging security events on paper and digitally forever.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.