Azure Storage Blobs User Delegation SAS Tokens now Generally Available
Published date: 15 January, 2020
Cloud storage often serves as a content source for browser and mobile applications. This is typically achieved using application-issued, pre-authorized URLs which provide time-limited access directly to specific content without requiring a service to proxy this access.
Azure Storage supports this pattern through the use of shared access signature tokens (SAS tokens). These tokens grant specific, time-limited access to storage objects by signing an authorization statement using the storage account access key, which is controlled by account administrators. While this approach provides the required limited access to clients, it sometimes represents an over-provisioning of access to these token-issuing services since this provides full control over the entire account where they may only require read access to specific content.
Today we are announcing general availability (GA) for user delegation SAS tokens. By extending Azure AD and Azure role-based access control (RBAC) for Azure Storage, lower-privileged users and services can now delegate subsets of their access to clients, using this new type of pre-authorized URL. Clients retrieve a user delegation key tied to their Azure Active Directory (AD) account, and then use it to create SAS tokens granting a subset of their own access rights.
User delegation SAS tokens are now supported for use with production workloads, and are available in all clouds and all regions of Azure.