Answer-first summary for fast verification
Answer: shared access signatures (SAS)
## Detailed Explanation ### Requirements Analysis The question requires granting permissions to a specific application for a **limited time period** in Azure Data Lake Storage Gen2. This scenario demands a solution that provides: - Time-bound access control - Application-specific permissions - Secure authentication mechanism ### Option Analysis **B. Shared Access Signatures (SAS) - CORRECT** - **Time-bound access**: SAS tokens can be configured with specific start and expiry times, perfectly matching the "limited duration" requirement - **Granular permissions**: SAS tokens can grant specific permissions (read, write, delete, list) to specific resources - **Application integration**: SAS tokens can be generated and used by applications programmatically - **Security**: SAS tokens provide secure, delegated access without exposing account credentials - **Best practice**: SAS is the recommended approach for providing time-limited access to Azure Storage resources **A. Role assignments - INCORRECT** - Role assignments in Azure RBAC are typically persistent and not designed for time-limited access - While time-bound role assignments exist, they are complex to implement and not the optimal solution for application-specific, temporary access **C. Azure Active Directory (Azure AD) identities - INCORRECT** - Azure AD identities provide persistent authentication and are not inherently time-bound - While conditional access policies can add time restrictions, this approach is more complex and less direct than SAS for temporary application access **D. Account keys - INCORRECT** - Account keys provide full administrative access to the entire storage account - They are persistent and not time-limited - Using account keys violates security best practices as they grant excessive permissions and cannot be restricted to specific time periods ### Why SAS is Optimal Shared Access Signatures are specifically designed for scenarios requiring: - Temporary access delegation - Fine-grained permissions - Secure token-based authentication - Easy integration with applications The SAS token can be generated with precise start and expiry times, specific permissions, and restricted to particular containers or files, making it the ideal solution for granting time-limited application access to Azure Data Lake Storage Gen2.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are designing an application that uses Azure Data Lake Storage Gen2. You need to recommend a solution to provide a specific application with permissions that are valid only for a limited duration. What should you recommend?
A
role assignments
B
shared access signatures (SAS)
C
Azure Active Directory (Azure AD) identities
D
account keys
No comments yet.