How can we improve Azure Storage?

Manage SAS Token by Name and Include in Audit Logs

Give SAS tokens a name when generating then:
- allow report/table of all generated token
- allow revoke of exisiting token (or modification of access)
- use the SAS token name in storage audit logs

At the moment, the storage access logs do not show any useful information about who has made access, and this is critical to a practical audit function.

3 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Ben HattonBen Hatton shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. Currently you can use a stored access policy to manage revocation of an existing token. You are also able to track requests made using an existing stored access policy in the storage account logs. See https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1#controlling-a-sas-with-a-stored-access-policy for more details. For any further questions, or to discuss your specific scenario, send us an email at azurestoragefeedback@microsoft.com.

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Ben HattonBen Hatton commented  ·   ·  Flag as inappropriate

        Thanks for the feedback. It looks like the SAS Policy is present in the "si" parameter of the query, and this is getting logged when it is provided in the URL. I am connecting via Logic App which does not seem to (anymore?) permit a connection using a SAS, only with account key, so that won't work in my specific situation.

      Feedback and Knowledge Base