Narrator: Now we just saw how easy it was
to create a container and upload files into that container.
But when it comes to accessing those files,
we were getting this message, PublicAccessNotPermitted.
We were accessing the storage account by its endpoint,
and my computer has access to this endpoint.
So, how do we go about getting access to this file?
Well, first we have to understand this concept
of access keys.
So if we go back to the storage account,
out of Data storage and into Security,
we can look at Access keys.
When we set up this account,
we said we would use access key authentication
and not Entra ID.
You do have the option of having Entra ID and keys
or having only Entra ID.
So, this keys is a very interesting process.
It is, in fact, a secret that anyone who has the secret
and access to the endpoint using networking
can have full administrative access
to the contents of your storage account.
So, they can add files, they can delete files,
they can read files.
If they have the key, they are in.
I'm gonna show you the key.
This right now, it's obscured,
but if I show it to you, this is our sequence of letters,
numbers, uppercase, lowercase, symbols;
that is impossible to guess or hack.
So, if I had public networking on,
and you had this key, you could access this storage account,
but I don't have public network access on.
Now, this is why it's extremely important
to keep your key a secret.
So, this is very much on a need-to-know basis.
The fewer the people that have access to this, the better.
Now, what happens if this somehow leaks?
Let's imagine you've hard-coded this into some code,
and then you publish the code to GitHub public repository.
That's happened.
And believe me, there are programs
scanning GitHub constantly, looking for the security keys.
So within minutes, if you were to publish code
with this key in it and the endpoint, within minutes,
this account would be hacked.
So, what happens?
Well, first thing you're gonna wanna do
is void the key.
So, that's called rotation, or regeneration.
So, as soon as I click this button saying Rotate key,
this key becomes invalid
and no one would be able to access this account using it.
Say Yes.
Now, do keep in mind
that if you are using this key for other purposes,
like an application, a script, some programmatic purpose,
then everything's invalid.
So, not only the hackers would have been invalid,
but legitimate access would also be invalid.
So how do we avoid that?
Well, Microsoft gives us two keys.
The purpose of the key is to allow you to switch
to the second key before you regenerate the first.
So, the sequence of events would be,
once you realize this key has been hacked,
or you wanna re regenerate it,
you switch all your legitimate programs to the second key,
republish them, ensure it's all working,
and only then you regenerate the first key.
And that way your programs are using the second key.
So this is why there's two keys,
and this is how you rotate them.
There is this ability to have a reminder.
So, let's say you want, every six months, to change the key,
or whatever the policy is that you want,
then that can be done right from here.
So, knowing this key is going to allow me,
programmatically using C# or any of the SDKs,
Python, to access the storage account.
But how are we gonna get access
to that video that I uploaded?
All right, what we're gonna do,
is we're gonna go back to Data storage.
Under Containers,
go into the container.
Now, instead of going, I'll say View first,
and so instead of taking the URL off of the Overview screen,
I'm going to choose Generate SAS.
Now, SAS stands for shared access signature,
and it's a more secure way of granting limited access
to your blob or your container.
Now you'll notice that it's using the key, Key number 1,
as a signing key.
You assign a permission.
So in this case, it's read-only permission
and it has a start date and time, and an end date and time.
Optionally, you could provide an IP address, even here.
And as well, you're gonna choose HTTPS only,
or to allow HTTS access.
So I'm gonna leave all the defaults,
and I'm gonna say Generate SAS token.
Now, there's two components to this. One is just the token.
So this token, you don't need to know this for the exam,
but it's a series of names and values
and you can see that sp=r,
clearly relates to the permissions.
And the st is the start time
And the se is the end time.
So, it's sort of embedded
what you've selected into this thing.
The key part, of course, is it's signed.
So, there's a signature at the end
that the Key 1 has been used
to create this signature hashing, I guess,
of the entire text.
What I'm interested in is this URL, Blob SAS URL.
So, I'm gonna copy that.
Now we go back to the browser,
and we paste the URL that includes the SAS token,
and I hit Enter.
And now a video loads.
So, we have the read access during this period of time,
based on this URL.
There is a downside to this though.
So, I've created this SAS token.
There is no ability to revoke it.
So, there's no name for this. It's not saved anywhere.
As soon as I leave the screen,
this is all gone and forgotten.
The key is signed, the token is valid,
you're going to be given access.
So, let's say you've generated an SAS token,
it accidentally got leaked somewhere it shouldn't have.
How do you revoke it?
Well, you have to regenerate the key.
So, if the key is invalid,
then the token signature is invalid.
So, you go back to the Storage account,
under Security, under keys,
and regenerate the key.
With a regenerated key, this URL should no longer be valid.
If I open up a new browser,
place the SAS token, including the signature,
it says AuthenticationFailed.
It's a different error,
but the signature is being called out.
"Signature did not match."
So, that's the only way you can invalidate an SAS token,
is by invalidating the key.
In the next video,
we're gonna talk about stored access policies,
which will solve this particular problem.