In this third installment, we are going to get hands-on with Azure Storage. Explore the practical steps of managing containers, file shares, and most importantly, securing access to the files within them.
Task 1: Creating a Storage Container
We need a place to store our files. In Azure Storage, a container is like a folder that holds your blobs.
Navigate to your Storage Account: From the Azure portal home page, type "storage accounts" in the search box and select it from the results. Click on the storage account you created in the earlier preparation exercise. It should be linked to your resource group, like guided-project-rg.
Add a Container: On your storage account's blade, locate the Data storage section in the left-hand menu, then select Containers.
Create It: Click on the + Add button. A new pane will appear. Give your container a name, for example, storage-container.
Uploading a File
Now that we have a container, find any image file on your computer (or download one from the internet). Click on your newly created container, storage-container.
Select Upload and browse to your chosen image file. Once uploaded, you will see it in the list.
Task 2: Changing the Access Tier for a Blob
Azure offers different access tiers to help you optimize costs based on how frequently you access your data.
Hot: Optimized for data that is accessed frequently.
Cool: For data that is infrequently accessed and stored for at least 30 days. Cold: For data that is rarely accessed and stored for at least 90 days. Archive: For data that is very rarely accessed and stored for at least 180 days.
For our test file, it doesn't need to be in the Hot tier. Let us move it to Cold. Inside your storage container, click on the uploaded file's name (which is a hyperlink). On the file's overview page, select the Change tier button.
A pane will slide out. Select Cold and click Save.
You have just successfully changed the access tier for an individual blob. Remember, you can also set a default tier at the storage account level to apply to all new blobs.
Task 3: Creating and Managing a File Share
Azure Files provides fully managed file shares in the cloud, accessible via the Server Message Block (SMB) protocol. It's perfect for lifting and shifting legacy applications or creating shared drives for your team.
Let us create one: Go back to your storage account's main blade.
Under the Data storage menu, select File shares.
Click on + File share.
On the "Basics" tab, name your file share file-share.
Move to the Backup tab and uncheck the "Enable backup" box (since this is just a test). Click Review + create, then Create.
Once created, navigate into your new file share and click the Upload button to upload the same image (or a different one) you used earlier for the blob.
Task 4: The Power of Shared Access Signatures (SAS)
Azure offers Shared Access Signatures (SAS). A SAS grants restricted access rights to your storage resources. You can control the permissions, the protocol, and the time window for which the access is valid. This is the core of our management task today.
Generating a SAS URL
From your storage account, select Storage browser from the left-hand menu. Expand Blob containers and select your storage container.
Locate the image you uploaded, and click the ellipsis (...) at the end of its row. From the dropdown menu, select Generate SAS.
Customizing Your SAS Token
A powerful pane will appear, allowing you to fine-tune exactly what access you're granting.
Signing method & key: Choose Account key. You can use either Key 1 or Key 2. Having two keys allows you to rotate them without downtime, as we'll see in a moment.
Stored access policy: Keep this as None for this exercise.
Permissions: For this example, we will grant only read permission. This means anyone with this link can see and download the file, but they can't modify it.
Start and expiry time: You can set a custom window. For learning, leave the defaults, but in a production scenario, always set the shortest time frame necessary.
Allowed protocols: Select HTTPS only for security.
Finally, click the Generate SAS token and URI button. You will see a Blob SAS URL appear. Copy this entire URL.
Testing the Link
Open a new private/incognito browser window or tab and paste the URL you just copied. You should see the image you uploaded displayed directly in the browser, as you see here.
This is the beauty of SAS tokens. You can share this link with anyone, and they will have secure, time-limited access to your file.
Task 5: The Art of Revocation - Rotating Access Keys
A SAS token is secure, but what happens if it gets into the wrong hands, or if someone leaves the company? While you could wait for the expiry time, what if you need to revoke access immediately?
A SAS token signed with an account key is tied to that key. If you regenerate or rotate the storage account key, the SAS token becomes invalid instantly.
Let's see this in action: Go back to your storage account's main blade.
Expand the Security + networking section in the left-hand menu and select Access keys.
For Key 1, click the Rotate key button.
Read the warning carefully. Regenerating a key will invalidate all tokens and apps using that key. Click Yes to confirm.
Once you see the success message, go back to the browser tab where you pasted the SAS URL and refresh the page.
You should be greeted with an error, something like "AuthenticationFailed." The link is now dead. You have successfully revoked access!
Takeaway: This ability to instantly revoke access is why Azure provides two keys. You can rotate Key 1, while all your critical applications use Key 2. Then, you can update those applications to use the new Key 1 and later rotate Key 2 without any downtime. This is a best practice for managing secure access in production.
In just 12 minutes, you have accomplished a lot: You created a blob container and uploaded a file. You learned how to manage costs by changing the access tier of a blob.
You set up a file share, demonstrating the versatility of Azure Storage.
Most importantly, you created and used a Shared Access Signature (SAS) to share a file securely.
Finally, you learned the critical skill of rotating access keys to instantly revoke permissions.
Controlling access is a fundamental skill for any Azure administrator. It is not just about granting permissions, but about understanding the tools to manage and revoke them securely.
See you in part 4 of this series. If you have questions, let me know. I would be happy to support.
Top comments (0)