Skip to Content

AZ-500: What Is the Difference Between a SAS Token and a Storage Account Key?

By: Author Alex Lim

Posted on

Categories AZ-500

Home » Exam » AZ-500 » AZ-500: What Is the Difference Between a SAS Token and a Storage Account Key?

Do SAS Tokens Provide Limited or Root Access to Azure Storage Accounts?

Prepare for the AZ-500 exam by learning the critical distinction between SAS tokens and storage account keys. Understand how SAS provides granular, time-bound delegated access, unlike the full root permissions of an account key.

Question

SAS tokens provide root access to an Azure Storage account until the key is revoked or rolled.

A. FALSE
B. TRUE

Answer

A. FALSE

Explanation

This describes Shared Keys. SAS tokens are limited to a specific span of time.

The statement is false because it accurately describes a storage account access key (also known as a shared key), not a Shared Access Signature (SAS) token. A SAS token provides limited, delegated access to resources within a storage account, not root-level permissions.

Shared Access Signature (SAS) Tokens: These are designed to grant granular and temporary access to specific storage resources. A SAS token is a signed URI that includes specific parameters defining what the client is allowed to do. These parameters include:

  • Permissions: Defines the allowed operations, such as read, write, delete, or list.
  • Expiry Time: A mandatory end time and date after which the token becomes invalid.
  • Scope: Restricts access to a specific service (blob, file, queue), a container, or even a single object like an individual blob.
  • IP Restrictions: Can be configured to only allow requests from a specific IP address or range.

Storage Account Access Keys: These provide full administrative permissions, equivalent to root access, for the entire storage account. Anyone who possesses an account key can perform any action on any resource within that account, including reading, writing, and deleting all data. These keys do not expire automatically and remain valid until they are manually regenerated or “rolled.” The description in the question—providing root access until revoked—is a perfect definition of an account access key’s function.

Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.