Hello P, John,
Greetings! Welcome to Microsoft Q&A Platform.
I understand that you’re encountering a specific issue with configuring the Shared Access Signature (SAS) in your premium storage account.
Premium storage accounts might have different capabilities compared to standard hot tier storage accounts. Ensure that the premium storage account supports the permissions you need as listed below,
- Allowed Service: Blob
- Allowed Resource Types: Object (Service & Container may also be required)
- Allowed Permissions: Read, Write, Create
If there are other actions that allow you to browse and create/list Azure storage blob containers in the Azure Portal, then the allowed permissions and allowed resource types will need to include the additional scope. More information about Blob Service operations and permissions, which details the specific information you are looking for.
For general information about Shared Access Signatures, please see: Grant limited access to Azure Storage resources using shared access signatures (SAS)
- Service (s): Access to service-level APIs (e.g., Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)
- Container (c): Access to container-level APIs (e.g., Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)
- Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files(e.g. Put Blob, Query Entity, Get Messages, Create File, etc.)
- You can combine values to provide access to more than one resource type. For example, srt=sc specifies access to service and container resources.
How to check if SAS was issued to someone previously? It can't be checked because after the dedicated time and date it expires
If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account. If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.
For more information: Refer to best practices when using SAS
Required. Specifies the signed permissions for the account SAS. Permissions are only valid if they match the specified signed resource type; otherwise they are ignored.
- Read (r): Valid for all signed resources types (Service, Container, and Object). Permits read permissions to the specified resource type.
- Write (w): Valid for all signed resources types (Service, Container, and Object). Permits write permissions to the specified resource type.
- Delete (d): Valid for Container and Object resource types, except for queue messages.
- List (l): Valid for Service and Container resource types only.
- Add (a): Valid for the following Object resource types only: queue messages, table entities, and append blobs.
- Create (c): Valid for the following Object resource types only: blobs and files. Users can create new blobs or files but may not overwrite existing blobs or files.
- Update (u): Valid for the following Object resource types only: queue messages and table entities.
- Process (p): Valid for the following Object resource type only: queue messages.
Hope this helps!
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.