There are multiple ways to allow external access to Azure storage accounts, some better (and more secure) than others. Today, I’d like to share with you 3 methods to access your storage accounts externally, as well as the preferred methods for doing so.
1. Access Keys
This is one way to allow access, but I don’t highly recommend using it. Why? There are only 2 access keys that exist for your storage account. If you use one, it will be a problem later, since when you have to change it, you’ll have to change everything referring to that storage account. These keys should be used for applications or special use cases that you can manage accordingly.
If you share these access keys outside of the organization, this could create problem, as you don’t want to have to go in and change them if you feel that the key has been violated in some way.
2. Share Access Signatures (SAS)
This is a much better option than sharing the keys. This is designed to limit access to your storage account and the containers they are involved in. They allow you to establish security at a more granular level than access keys. With this method, you can use one storage account and create multiple signatures and allow for specific security access.
This works great for when a company is sending you data and you want to store it somewhere and then give them secure access to your Azure environment. There are expiration properties, so you can allow access for a designated amount of time or if things change, it’s easy to kill the key and stop access.
3. Share Access Policies
This is your best option for supporting access for external entities to get the data into the storage account and is the easiest to manage. Shared access policies leverage shared access signatures and must be created with PowerShell. They are easily managed without creating a new SAS every time.