DEVELOP GUIDES
...
PUSH Pattern
Azure SAS
8 min
if your infrastructure is hosted on azure , please adopt this solution how to use sas(shared access signature), detailed documentation is https //learn microsoft com/en us/azure/storage/common/storage sas overview 1\ overview when a partner’s infrastructure is hosted on microsoft azure , klavi utilizes the azure sas (shared access signature) mechanism to perform secure file uploads a sas is a uri that grants restricted access rights to azure storage resources for this integration, klavi requires a service sas or account sas with specific write permissions to your designated blob storage container 2\ partner (recipient/azure) configuration guide as the data recipient on azure, you are responsible for provisioning the storage resource and generating the secure access token 2 1 create an azure blob storage container navigate to your azure storage account under data storage , select containers create a new container (e g , klavi data inbound ) 2 2 generate the sas token to allow klavi to upload files, you must generate a sas token with the following minimum requirements allowed services blob allowed resource types object (and container for directory access) permissions create and write (required for uploading files) read (optional, recommended for automated checksum verification) list (optional, required if klavi needs to verify file existence) expiry set an expiration date according to your internal security policy note please provide at least 12 hours of expiration time for this token to allow klavi enough time for errors, repairs, and re uploads during the file generation process allowed protocols https only 2 3 ip whitelisting (optional but recommended) for enhanced security, you can restrict the sas token to only accept requests from klavi’s outgoing infrastructure please request klavi’s static outbound ip addresses to configure the " docid\ dn7xuo2g2oozsfblrwkvo " field during sas generation 3\ information exchange checklist the following technical parameters must be shared to enable the integration 3 1 from partner to klavi please provide the following details to the klavi integration team parameter description example storage account name the name of your azure storage account partnerstorageprod container name the specific container for file delivery klavi inbound sas token the generated string starting with ?sv= ?sv=2026 01 21\&ss=b\&srt=o\&sp=wd blob service endpoint your custom or default azure blob url https //\<account> blob core windows net 3 2 from klavi to partner klavi will provide the following information upon request parameter description static outbound ips the ip addresses used by klavi's aws based delivery service for whitelisting 4\ klavi operational workflow once the sas credentials are provided, klavi’s automated pipeline will construct service uri combine the blob endpoint, container name, and sas token to create a secure target uri secure upload perform an authorized put request via https to your azure container integrity check if read permissions are granted, klavi will verify the blob's properties to ensure the file was transmitted without corruption expiry monitoring klavi’s system will alert our operations team 14 days before your sas token is set to expire 5\ security best practices principle of least privilege do not share your account access keys only provide a sas token scoped to the specific container required for delivery https enforcement all data transfers are encrypted in transit using tls 1 2+ token rotation we recommend rotating sas tokens periodically (e g , every 6 or 12 months) to maintain a high security posture sas type for better isolation, we prefer a service sas (scoped to a container) over an account sas support for technical assistance during setup, please contact our support team at mailto\ crie\@klavi ai