“Disabling key-based access” for Azure storage does not completely disable key-based access for Azure storage
I recently worked with a customer who was slightly confused why they were seeing “DelegationSas” being used (in resource logs) to access Azure storage resources, even though they though they had disabled key-based access!
I had to explain to them that “disabling key-based access” for Azure storage does not disable ALL key-based access for Azure storage.
Azure storage supports both key-based access and identity-based access. Key-based access can either be by using one of the two auto-generated long-lived access keys OR a temporary SAS token.
The main use case for SAS tokens is to limit the scope of access for clients that cannot be trusted with the access keys but this can also be leveraged to open backdoors to Azure storage resources (by generating a long lived SAS token). This is difficult to detect because information on the attributes of generated SAS tokens is not properly logged either in activity or resource logs.
Azure storage supports three types of SAS tokens. Account and Service SAS tokens that are signed with one of the storage account access keys. User Delegation SAS that are signed with a dynamically generated User Delegation Key using an Azure AD credential. Account and Service SAS has an unbounded validity period; User Delegation SAS has a maximum validity period of 7 days (which is still a good enough time).
The best practice is to disable key-based access and most people do this setting the configuration allow-shared-key-access:false. This can be done from the portal or via Azure CLI.
Portal: Storage Account → Settings → Configuration → Allow storage account key access
CLI: az storage account update -n $acct-name -g $resourcegroup --allow-shared-key-access false
Configuring any of these options will disable the access key usage and the SAS tokens signed with it — Service SAS and Account SAS. This will not disable the User Delegation SAS option! The image below shows a successful request using the User delegation SAS token even though key based access is already disabled.
To block User delegation SAS, you need to exclude or deny the folloowing permission in RBAC — Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
The following built-in roles have this permission:
"Owner"
"Contributor"
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Blob Delegator"When this is done, attempts to obtain a user delegation key to sign the SAS will result in the following authorization error:
I also hope the Azure storage team can improve the wording of the displayed warning when key based access is disabled in the portal. This will go a long way for better customer awareness.
NOTE: If you’re interested in learning more about Azure Security, I provide Azure security training to organizations all over the world. Please reach out at david@chariscloud.com
