Cannot turn on Updata and Process on Premium storage SAS

P, John 200 Reputation points
2024-08-13T21:58:32.66+00:00

I create a premium storage account and try to add Shared access signature. In the allowed permissions, I cannot turn on "Update" and "Process" selection. See Screenshot 2024-08-13 at 2.48.42 PM.jpg. But I have no problem to turn on both on standard hot tier storage. How can I fix the issue? Thanks!

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,485 questions
0 comments No comments
{count} votes

Accepted answer
  1. Nehruji R 8,146 Reputation points Microsoft Vendor
    2024-08-14T12:54:46.39+00:00

    Hello P, John,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you’re encountering a specific issue with configuring the Shared Access Signature (SAS) in your premium storage account.

    Premium storage accounts might have different capabilities compared to standard hot tier storage accounts. Ensure that the premium storage account supports the permissions you need as listed below,

    • Allowed Service: Blob
    • Allowed Resource Types: Object (Service & Container may also be required)
    • Allowed Permissions: Read, Write, Create

    If there are other actions that allow you to browse and create/list Azure storage blob containers in the Azure Portal, then the allowed permissions and allowed resource types will need to include the additional scope. More information about Blob Service operations and permissions, which details the specific information you are looking for.

    For general information about Shared Access Signatures, please see: Grant limited access to Azure Storage resources using shared access signatures (SAS)

    • Service (s): Access to service-level APIs (e.g., Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)
    • Container (c): Access to container-level APIs (e.g., Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)
    • Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files(e.g. Put Blob, Query Entity, Get Messages, Create File, etc.)
    • You can combine values to provide access to more than one resource type. For example, srt=sc specifies access to service and container resources.

    How to check if SAS was issued to someone previously? It can't be checked because after the dedicated time and date it expires

    If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account. If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

    For more information: Refer to best practices when using SAS

    Required. Specifies the signed permissions for the account SAS. Permissions are only valid if they match the specified signed resource type; otherwise they are ignored.

    • Read (r): Valid for all signed resources types (Service, Container, and Object). Permits read permissions to the specified resource type.
    • Write (w): Valid for all signed resources types (Service, Container, and Object). Permits write permissions to the specified resource type.
    • Delete (d): Valid for Container and Object resource types, except for queue messages.
    • List (l): Valid for Service and Container resource types only.
    • Add (a): Valid for the following Object resource types only: queue messages, table entities, and append blobs.
    • Create (c): Valid for the following Object resource types only: blobs and files. Users can create new blobs or files but may not overwrite existing blobs or files.
    • Update (u): Valid for the following Object resource types only: queue messages and table entities.
    • Process (p): Valid for the following Object resource type only: queue messages.

    Hope this helps!

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. P, John 200 Reputation points
    2024-08-14T21:55:52.89+00:00

    Thanks for the detailed explanation. I don't realize that Update & Process permissions are for queue and table only. The premium storage I created is BlockBlobStorage kind, not storageV2.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.