Shared Access Signatures (SAS)
Securely delegate access to Azure Storage resources.
Shared Access Signatures (SAS) provide a secure way to grant limited access to objects in your Azure Storage account without exposing your account access keys. A SAS token is a URI that contains a security token in its query parameters. This token allows a client to access storage resources for a specified period of time, with specific permissions.
Understanding SAS
There are two types of SAS:
- Service SAS: Signed by the storage account key. You can generate a service SAS for blobs, queues, tables, or files.
- Account SAS: Signed by the storage account. This type grants access to all the service types that the account key authorizes.
When to Use SAS
- Granting limited access to objects in your storage account (e.g., allowing a user to download a specific blob).
- Delegating access to specific containers or objects to applications without storing account access keys in the client application.
- Providing temporary access to resources.
SAS Token Components
A SAS token is appended to the URI of a storage resource. The key components include:
- Resource URI: The URI to the storage resource (e.g., a blob, a container).
- sv (Signed Version): The version of the REST API used to construct the SAS.
- st (Signed Start): The UTC date/time when the SAS becomes valid.
- se (Signed Expiration): The UTC date/time when the SAS expires.
- sr (Signed Resource): The resource type that the SAS applies to (e.g., service, container, object).
- sp (Signed Permissions): The permissions granted by the SAS (e.g., read, write, delete, list).
- sig (Signature): The signature generated using the account key and the other SAS parameters.
Generating a SAS Token
You can generate SAS tokens using:
- Azure portal
- Azure CLI
- Azure PowerShell
- Azure Storage SDKs
- REST API
Example using Azure Portal
- Navigate to your storage account in the Azure portal.
- Select the container or blob you want to grant access to.
- Click on "Generate SAS".
- Configure the desired permissions, start and expiry times, and resource types.
- Click "Generate SAS token and URL".
Service SAS Example (Blob)
https://myaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2020-08-04&ss=b&srt=sco&sp=r&se=2023-12-31T12:00:00Z&sig=aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890abcdAccount SAS Example
https://myaccount.blob.core.windows.net/?sv=2020-08-04&ss=bfqt&srt=sco&sp=rwdlacup&se=2023-12-31T12:00:00Z&sig=aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890abcdSecurity Considerations
Important:
- Never expose your account access keys directly.
- Generate SAS tokens with the minimum necessary permissions and for the shortest possible duration.
- Be aware of clock skew between the client and server when setting start and expiry times.
- Store SAS tokens securely, as they grant access to your data.
- Use an account SAS only when necessary, as it grants broad permissions.
Permissions
| Permission | Abbreviation | Description |
|---|---|---|
| Read | r |
Allows reading data and properties of a resource. |
| Write | w |
Allows writing data and properties to a resource. |
| Delete | d |
Allows deleting a resource. |
| List | l |
Allows listing blobs or table entities. |
| Add | a |
Allows adding new entities to a table. |
| Create | c |
Allows creating blobs or table entities. |
| Process | p |
Allows retrieving and deleting messages from a queue. |
| All | * |
Grants all possible permissions. (Use with extreme caution) |
Resource Types
| Resource Type | Abbreviation | Description |
|---|---|---|
| Service | s |
Grants access to the service-level resources (e.g., listing all containers). |
| Container | c |
Grants access to container-level resources (e.g., listing blobs within a container). |
| Object | o |
Grants access to object-level resources (e.g., a specific blob). |