Merge pull request #197812 from tamram/tamram22-0510

Maggiemouse1 · web-flow · commit eed7f51730eb · 2022-05-11T09:12:25.000+01:00
update SAS articles to provide details on perms
diff --git a/articles/storage/blobs/sas-service-create.md b/articles/storage/blobs/sas-service-create.md
@@ -7,9 +7,9 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 03/23/2021
+ms.date: 05/10/2022
 ms.author: tamram
-ms.reviewer: dineshm
+ms.reviewer: nachakra
 ms.subservice: blobs
 ms.custom: devx-track-csharp
 ---
diff --git a/includes/storage-auth-sas-intro-include.md b/includes/storage-auth-sas-intro-include.md
@@ -5,7 +5,7 @@ services: storage
 author: tamram
 ms.service: storage
 ms.topic: "include"
-ms.date: 12/20/2019
+ms.date: 05/10/2022
 ms.author: tamram
 ms.custom: "include file"
 ---
@@ -14,7 +14,8 @@ A shared access signature (SAS) enables you to grant limited access to container
 
 Every SAS is signed with a key. You can sign a SAS in one of two ways:
 
-- With a key created using Azure Active Directory (Azure AD) credentials. A SAS that is signed with Azure AD credentials is a *user delegation* SAS.
-- With the storage account key. Both a *service SAS* and an *account SAS* are signed with the storage account key.
+- With a key created using Azure Active Directory (Azure AD) credentials. A SAS that is signed with Azure AD credentials is a *user delegation* SAS. A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action. For more information, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas#assign-permissions-with-rbac).
+- With the storage account key. Both a *service SAS* and an *account SAS* are signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned the **Microsoft.Storage/storageAccounts/listkeys/action** permission.
 
-A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see [Grant limited access to data with shared access signatures (SAS)](../articles/storage/common/storage-sas-overview.md).
+> [!NOTE]
+> A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see [Grant limited access to data with shared access signatures (SAS)](../articles/storage/common/storage-sas-overview.md).
