Use a Stored Access Policy
Updated: June 12, 2012
A stored access policy provides an additional level of control over shared access signatures on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.
A stored access policy gives you greater control over shared access signatures you have released. Instead of specifying the signature's lifetime and permissions on the URL, you can specify these parameters within the stored access policy stored on the blob, container, queue, or table that is being shared. To change these parameters for one or more signatures, you can modify the stored access policy, rather than reissuing the signatures. You can also quickly revoke the signature by modifying the stored access policy.
For example, suppose you have issued a shared access signature that's associated with a stored access policy. If you've specified the expiry time within the stored access policy, you can modify the access policy to extend the life of the signature, without having to reissue a new signature.
Best practices recommend specifying a stored access policy for any signed resource for which you are issuing a shared access signature, as the stored policy can be used to modify or revoke the signature after it has been issued. If you don't specify a stored policy, it's recommended that you limit the lifetime of your signature in order to minimize any risk to your storage account resources. For more information, see Creating a Shared Access Signature.
Associating a Shared Access Signature with a Stored Access Policy
A stored access policy includes a name up to 64 characters long that is unique within the container, queue, or table. To associate a shared access signature with a stored access policy, you specify this identifier when creating the shared access signature. On the shared access signature URI, the signedidentifier field specifies the identifier for the stored access policy.
A container, queue, or table can include up to 5 stored access policies. Each policy can be used by any number of shared access signatures.
|When you establish a stored access policy on a container, queue, or table, it may take up to 30 seconds to take effect. During this interval, a shared access signature that is associated with the stored access policy will fail with status code 403 (Forbidden), until the access policy becomes active.|
Specifying Access Policy Parameters for a Shared Access Signature
The stored access policy can specify the following access policy parameters for the signatures with which it's associated:
Depending on how you want to control access to your storage resource, you can specify all of these parameters within the stored access policy, and omit them from the URL for the shared access signature. Doing so permits you to modify the associated signature's behavior at any time, as well as to revoke it. Or you can specify one or more of the access policy parameters within the stored access policy, and the others on the URL. Finally, you can specify all of the parameters on the URL. In this case, you can use the stored access policy to revoke the signature, but not to modify its behavior.
Together the shared access signature and the stored access policy must include all fields required to authenticate the signature. If any required fields are missing, the request will fail with status code 403 (Forbidden). Likewise, if a field is specified both in the shared access signature URL and in the stored access policy, the request will fail with status code 403 (Bad Request). See Creating a Shared Access Signature for more information about the fields that comprise the signature.
Modifying or Revoking a Stored Access Policy
To revoke access to shared access signatures that use the same stored access policy, remove the stored policy from the storage resource by overwriting the stored policy list with a new list that does not contain the policy name. To change access settings of a stored access policy, overwrite the stored policy list with a new list that contains a policy of the same name that has new access control details.