Whats the difference between SAS token and Oauth token in Azure

Question

What is the difference between SAS token in https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview vs simply constructing oauth token via ClientSecretCredential in azure ?

    def auth_active_directory(self):
        # [START create_blob_service_client_oauth]
        # Get a token credential for authentication
        from azure.identity import ClientSecretCredential
        token_credential = ClientSecretCredential(
            self.active_directory_tenant_id,
            self.active_directory_application_id,
            self.active_directory_application_secret
        )

        # Instantiate a BlobServiceClient using a token credential
        from azure.storage.blob import BlobServiceClient
        blob_service_client = BlobServiceClient(account_url=self.oauth_url, credential=token_credential)
        # [END create_blob_service_client_oauth]

        # Get account information for the Blob Service
        account_info = blob_service_client.get_service_properties()

vs

    def auth_shared_access_signature(self):
        # Instantiate a BlobServiceClient using a connection string
        from azure.storage.blob import BlobServiceClient
        blob_service_client = BlobServiceClient.from_connection_string(self.connection_string)

        # [START create_sas_token]
        # Create a SAS token to use to authenticate a new client
        from datetime import datetime, timedelta
        from azure.storage.blob import ResourceTypes, AccountSasPermissions, generate_account_sas

        sas_token = generate_account_sas(
            blob_service_client.account_name,
            account_key=blob_service_client.credential.account_key,
            resource_types=ResourceTypes(object=True),
            permission=AccountSasPermissions(read=True),
            expiry=datetime.utcnow() + timedelta(hours=1)
        )
        #

score 1 · Answer 1 · answered Jul 28 '22 at 17:09

1

One key difference is that SAS token is not tied to a user. Anybody who has that SAS token will be able to perform all operations allowed by that token.

On the other hand, an OAuth token is tied to the user for which you are acquiring it (a Service Principal in your case). You will only be able to perform operations depending on the storage data roles assigned to that user using that token.

answered Jul 28 '22 at 17:09

Gaurav Mantri

128,066
12
206
241

does that mean there is no audit for SAS token? Since you can create unlimited SAS token? – olaf Jul 28 '22 at 17:52
That is correct. – Gaurav Mantri Jul 28 '22 at 18:01

Whats the difference between SAS token and Oauth token in Azure

1 Answers1