-
Stores & manages storage services.
- 💡 Managed Disks for Virtual Machine disk storage does not need a storage account.
-
Types
Type of Account Services Supported Types of Blobs supported General Purpose Standard Blob, File, Queue services Block blobs, Page blobs and Append blobs General Purpose Premium Blob service Page blobs Blob Storage (hot and cool access tiers) Blob service Block blobs and Append blobs
- Access is controlled by Storage Account Keys
- There are primary and secondary to allow for key refreshes whilst maintaining access.
- If you have the key, you have access to the account and all the data in the account.
- Provided for blob storage at the time of creation; the container can be public, private or read-only.
-
Public read access policy
- Controls what data is available anonymously for your container
- Setting can be Container, Blob or Off.
Setting Individual blobs and their properties can be accessed Blobs can be enumerated Container ✔️ ✔️ Blob ✔️ ❌ Off ❌ ❌
-
- 💡 Use for:
- Management functions on Storage Account
- Storage account keys
- A URI that grants restricted access rights to containers, blobs, queues,and tables.
- For delegations, not resources.
- Access is for specified specified period of time, with a specified set of permissions.
- All information is described in URI.
- E.g. GET
https://[account].blob.core.windows.net/pictures/profile.jpg?sv=2012-02-12&st=2009-02-09&se=2009-02-10&sr=c&sp=r&si=YWJjZGVmZw%3d%3d&sig=dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d- The signature is using version 2012-02-12 of the storage API; it allows read access is beginning from 02/09/09 to 02/10/09 to the container.
- E.g. GET
- You can grant following:
- Content: Reading and writing page or block blob content, block lists, properties, and metadata
- Deleting: Deleting, leasing, and creating a snapshot of a blob
- Listing: Listing the blobs within a container
- CRUD
- Adding, removing, updating, and deleting queue messages
- Querying, adding, updating, deleting, and upserting table entities
- Metadata: Getting queue metadata, including the message count
- Copying: Copying to a blob from another blob within the same account
- A shared access policy adds the ability to revoke, expire or extend access.
- Settings defined in a server-stored policy can be changed and are reflected in the token without requiring a new token to be issued, but settings defined in the token itself cannot be changed without issuing a new token.
- This approach also makes it possible to revoke a valid SAS token before it has expired.
- To revoke a stored access policy, you can either delete it or rename it by changing the signed identifier.
- ❗ A maximum of five access policies may be set on a container, table, or queue at any given time.
- Locally redundant storage (LRS)
- Replicated three times across two to three facilities, either within a single region or across two regions
- Do not protect from the failure of a single facility.
- Zone-redundant storage (ZRS)
- Replicated three times across two to three facilities, either within a single region or across two regions.
- Geo-redundant storage (GRS)
- Replicated three times within the primary region, and is also replicated three times in a secondary region hundreds of miles away from the primary region.
- Replicates asynchronously
- Means replica is eventually consistent and could possibly have older data if you access the replica before the replication
- Read access geo-redundant storage (RA-GRS)
-
Provides read-only access to primary location on top of GRS.
Replication LRS ZRS GRS RA-GRS Data stored in multiple datacenters No Yes Yes Yes Data read from secondary & primary location No No No Yes No of copies of data stored in separate nodes 3 3 6 6
-