Do not use account shared access signature
Do not use account shared access signature
Microsoft docsDescription
An account SAS can delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS. However, it doesn't support container-level policies and has less flexibility and control over the permissions that are granted. If possible, use a service SAS for fine grained access control. For more information, see Delegate access with a shared access signature.
Cause
Generating an account Shared Access Signature (SAS) with the GetSharedAccessSignature method under the Microsoft.WindowsAzure.Storage namespace.
How to fix violations
Use a service SAS instead of an account SAS for fine grained access control and container-level access policy.
Example
using System;
using Microsoft.WindowsAzure.Storage;
class ExampleClass
{
public void ExampleMethod(SharedAccessAccountPolicy policy)
{
CloudStorageAccount cloudStorageAccount = new CloudStorageAccount();
cloudStorageAccount.GetSharedAccessSignature(policy);
}
}
using System;
using Microsoft.WindowsAzure.Storage;
using Microsoft.WindowsAzure.Storage.File;
class ExampleClass
{
public void ExampleMethod(StorageCredentials storageCredentials, SharedAccessFilePolicy policy, SharedAccessFileHeaders headers, string groupPolicyIdentifier, IPAddressOrRange ipAddressOrRange)
{
CloudFile cloudFile = new CloudFile(storageCredentials);
SharedAccessProtocol protocols = SharedAccessProtocol.HttpsOnly;
cloudFile.GetSharedAccessSignature(policy, headers, groupPolicyIdentifier, protocols, ipAddressOrRange);
}
}When to suppress
It is safe to suppress this rule if you're sure that the permissions of all resources are as restricted as possible.