NOTE: While you’re here, check out SIMON, the AI-powered bot, built on the Microsoft Bot Framework, Designed for IT Operations. Learn more at http://lumagatena.com/simon

Need to share data hosted in Azure Storage? With two very different options for granting, you may ask “which option is best?”. It pays to know your options, and the capabilities (or limitations) of each.

Shared Keys

Shared Key is exactly what it sounds like: a key (in cryptographic terms, a string of bits used by an algorithm) you share with those to whom you would like to delegate access. This is equivalent to giving root access to a storage account. It grants all privileges to whomever has the key, from anywhere at anytime until the key is revoked or rolled over.

HOW-TO: Authorize with Shared Key

Shared Access Signatures (SAS)

Shared Access Signatures allow you to scope duration, privileges, and even which IP addresses are allowed to connect. By distributing a shared access signature URI to a client, you can grant them access to a resource for a specified period of time, with a specified set of permissions. You can scope access at the account-level SAS (one or multiple services in the storage account) or Service-Level SAS, which delegates access to resource in just one service (like Queues only, Files only, etc.). Additionally, a service SAS can reference a stored access policy that provides an additional level of control over a set of signatures, including the ability to modify or revoke access to the resource if necessary. SAS is the route that offers the tightest control over access scope and duration.

HOW-TO: Delegating Access with a Shared Access Signature

Which is best?

Given the option of these two GA mechanisms, you should probably always take the route of Shared Access Signatures.

Option 3: Azure AD Authentication (in Preview)

There is a new method currently in preview that allows using Azure AD to grant authorization. Unfortunately it’s only supported for Blob and Queue services, so if you use Table Storage, this wont help. For the services it supports, it’s no doubt going to become a preferred method of granting access.

Azure Data Plane security: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#data-plane-security
Authenticate access to Azure Storage using Azure Active Directory (Preview): https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad

So, next time you need to grant storage access to a developer, or a partner, or customer, choose the most secure option that supports the storage services you need to share.