Hi there, I have store sas token value in key vault, but I can't know when token expires. So I will find this issue after the token expires. Is there any way to monitor when the token expires? Thanks zmsoft

Hi @zmsoft Welcome to Microsoft Q&A Forum. Thanks for posting your query here! In addition to above recommended solution from Amrinder Singh, we suggest you follow the below and give a try. Storage doesn't provide any inbuilt mechanism to notify for SAS expiry as storage doesn't stores any SAS it's end. This is because SAS is confidential data and as part of compliance, need to be maintained on the customer side only. So, you need to maintain or track the expiry from your side only or setting up monitoring through logs and alerts is essential. Additionally, you can track the token's expiration times manually or through automated scripts that check the expiration dates stored in your Key Vault. Which can be tracked through the scheduled tasks such as Azure Logic Apps, Azure Monitor Alerts. Hope the above solution helps in addressing your query. Please let us know if there are any further queries or issue still persists, we will be glad to assist you closer. Please do consider to "Accept the answer ” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Hi zmsoft - Thanks for reaching out over Q&A Forum. Storage doesn't track the number of shared access signatures that have been generated for a storage account, and no API can provide this detail hence, Storage doesn't even have visibility to all the expiry dates and can alert for them. There is a SE (SAS Expiry) parameter in the SAS URI which points to the Expiry date. While generating SAS, you can keep track of that from your side along with the SE parameter which shall point to the expiry date. However, since you are using Key Vault, you can leverage that for rotation as well. Hope that helps!

How to monitor data lake sas token expired?

Accepted answer

Hari Babu Vattepally 1,195 Reputation points Microsoft Vendor

2024-12-10T14:42:50.4533333+00:00

Hi @zmsoft

Welcome to Microsoft Q&A Forum. Thanks for posting your query here!

In addition to above recommended solution from Amrinder Singh, we suggest you follow the below and give a try.

Storage doesn't provide any inbuilt mechanism to notify for SAS expiry as storage doesn't stores any SAS it's end. This is because SAS is confidential data and as part of compliance, need to be maintained on the customer side only. So, you need to maintain or track the expiry from your side only or setting up monitoring through logs and alerts is essential.

Additionally, you can track the token's expiration times manually or through automated scripts that check the expiration dates stored in your Key Vault. Which can be tracked through the scheduled tasks such as Azure Logic Apps, Azure Monitor Alerts.

Hope the above solution helps in addressing your query.

Please let us know if there are any further queries or issue still persists, we will be glad to assist you closer.

Please do consider to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.

1 person found this answer helpful.
zmsoft 200 Reputation points

2024-12-12T00:52:11.13+00:00

Hi @Hari Babu Vattepally ,

Thanks for your response, I am very interested in the solution you mentioned. Could you tell me more about the details?

Thanks&Regards,

zmsoft

Hari Babu Vattepally 1,195 Reputation points Microsoft Vendor

2024-12-16T11:36:32.3166667+00:00

Hi @zmsoft

Apologies for delay in response. Here you can also achieve by implementing Azure Logic apps and Azure Monitor Alert services to automate workflows.

Azure Logic Apps can be used to automate the workflows which can track and monitor SAS token expiration. You can use a recurrence trigger to check the expiration time of the tokens daily. By adding an action to get secrets from the key vault and add a condition action to compare the current date with the token's expiration date. If the expiration date is within a specified threshold (e.g.: 5 days), send an email notification or trigger another action.

Azure Monitor Alert is another way to provide alerts based on various metrics. Once we create a new alert and set up the condition to monitor the expiration date of the SAS tokens. Then we need to configure the action groups: Create a action group to specify who gets notified, and action groups can include email, PUSH notifications or call a logic app or azure functions.

By implementing the above solution ensures that you have robust automated system for managing your SAS tokens.

Hope this helps.

If there are any further queries or issue still persist, feel free to contact. We will be glad to assist you closely.

Thanks!

Hari Babu Vattepally 1,195 Reputation points Microsoft Vendor

2024-12-17T12:26:31.56+00:00

Hi @zmsoft

Just following up to see if the above answer helped. Please do consider clicking Accept Answer as accepted answers help community as well. Also, please click on Yes for the survey 'Was the answer helpful'.

Hari Babu Vattepally 1,195 Reputation points Microsoft Vendor

2024-12-18T07:20:16.7+00:00

Hi @zmsoft

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to monitor data lake sas token expired?

1 additional answer

Your answer