Topic: AZ-104 topic 3 question 88

HOTSPOT
-

You have an Azure subscription that contains a storage account named storage1. The storage1 account contains blobs in a container named container1.

You plan to share access to storage1.

You need to generate a shared access signature (SAS). The solution must meet the following requirements:

•    Ensure that the SAS can only be used to enumerate and download blobs stored in container1.
•    Use the principle of least privilege.

Which three settings should you enable? To answer, select the appropriate settings in the answer area.

Re: AZ-104 topic 3 question 88

The correct answer should be:
Allowed resource types: Container
Allowed permissions: List and Read.

Explanation:
Container: "Grants access to the content and metadata of any blob in the container, and to the list of blobs in the container."
Source: https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#specify-the-signed-resource-field
Specifying "Object" additionally would be redundant because it is a subset of "Container".

List: "List blobs non-recursively."
Source: https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#specify-permissions
Satisfies the requirement of enumeration.

Read: "Read the content, blocklist, properties, and metadata of any blob in the container or directory. Use a blob as the source of a copy operation."
Source: https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#specify-permissions
Satisfies the requirement of download.

Re: AZ-104 topic 3 question 88

From the Internet:
As far as I know, the resource type, you could regard as below:

Service (s): Access to service-level APIs (e.g., Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)
Container (c): Access to container-level APIs (e.g., Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)
Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files(e.g. Put Blob, Query Entity, Get Messages, Create File, etc.)

therefore is the answer: Container, Object, Read correct

Re: AZ-104 topic 3 question 88

Is it possible to enumerate with selecting "List" though?

Re: AZ-104 topic 3 question 88

@ggogel  - i would agree to this as Container, object and read correct.  Allowed permission of list is not needed, as when you specify service container, you get the list option of listing the blobs. and for download you select read option
Reference: https://learn.microsoft.com/en-us/rest/api/storageservices/create-account-sas?redirectedfrom=MSDN#blob-service

Re: AZ-104 topic 3 question 88

- Container
- Read
- List

Re: AZ-104 topic 3 question 88

I would go with "container, read, list"
container: it's the resource type we want to generate SAS for
read: this will allow download
List: this will allow enumeration or count/listing

object: is for when you want to target a specific blob. So it's not necessary for this scenario however it was required in the previous question.

Re: AZ-104 topic 3 question 88

I would say container and object.

You need container to list and you need the object to download.
You need the list option because that's the actions you want to perform on the container and you need read to download the object.

https://learn.microsoft.com/en-us/answers/questions/67751/azure-sas-terms

Re: AZ-104 topic 3 question 88

Tryed in lab and is exactly what happens. To do all requested operations you need container, object, read and list. So, the question is wrong.

Re: AZ-104 topic 3 question 88

yes, same result, the question is wrong,
to download you need read on the object.
to list you need container and list.

Re: AZ-104 topic 3 question 88

You get to pick three, not four.

Re: AZ-104 topic 3 question 88

So thats...
container object
read list

  • ki01
  • New member
  • Offline

Re: AZ-104 topic 3 question 88

still 4, buddy...

Re: AZ-104 topic 3 question 88

Why container? Only object should be sufficient as it is asked to enumerate all the blobs in the given container.

Re: AZ-104 topic 3 question 88

Because if there’s more containers, you would be able to read those too, and since it's principle of least privilege, container has to be selected.