Generate SAS for Azure Blob Storage

Generate a Shared Access Signature (SAS) for Azure Blob Storage

A Shared Access Signature (SAS) provides a secure way to delegate access to your Azure Storage resources, such as blobs, containers, or tables, without sharing your account access keys. You can grant clients access to specific resources for a defined period and with specific permissions.

What is a SAS?

A SAS is a URI that contains a security token in its query parameters. This token represents delegated permissions to your storage resources. The SAS allows clients to access your storage accounts without their own Azure credentials. Key benefits include:

Granular Permissions: Grant read, write, delete, and list permissions.
Time-Bound Access: Define start and expiry times for the SAS.
IP Restrictions: Optionally restrict access to specific IP addresses or ranges.
Protocol Restrictions: Specify allowed protocols (e.g., HTTPS only).

Methods for Generating SAS

You can generate SAS tokens using several methods:

1. Azure Portal

The Azure portal offers a user-friendly interface to generate SAS tokens for blobs and containers.

Navigate to your storage account, select the container or blob, and use the "Shared access signature" option in the left-hand menu. Configure permissions, expiry, and other settings, then copy the generated SAS token.

2. Azure CLI

Use the Azure Command-Line Interface for scriptable SAS generation.

az storage blob generate-sas \
    --account-name  \
    --container-name  \
    --name  \
    --permissions rwdlacu \
    --expiry 2024-12-31T23:59:59Z \
    --output tsv

Replace placeholders like <your-storage-account-name> with your actual values.

3. Azure SDKs

Leverage Azure Storage SDKs available in various programming languages to programmatically generate SAS.

Example using Python SDK:

from azure.storage.blob import BlobServiceClient, AccountSasPermissions, ResourceTypes

        connect_str = ""
        blob_service_client = BlobServiceClient.from_connection_string(connect_str)

        sas_permissions = AccountSasPermissions(read=True, write=True, delete=True, list=True)
        sas_token = blob_service_client.generate_account_sas(
            resource_types=ResourceTypes(container=True, object=True),
            permission=sas_permissions,
            expiry='2024-12-31T23:59:59Z'
        )

        print(f"Generated SAS Token: {sas_token}")

Understanding SAS Components

A SAS URI typically looks like this:

https://[account name].blob.core.windows.net/[container name]/[blob name]?[canonicalized resource]&[signature]

[canonicalized resource]: Includes parameters like sv (signed version), ss (signed services), srt (signed resource types), sp (signed permissions), se (signed expiry), st (signed start), sip (signed IP), and spr (signed protocol).
[signature]: The HMAC-SHA256 hash of the string-to-sign.

Best Practices

Generate SAS with the least privilege: Grant only the necessary permissions and for the shortest duration required.
Use HTTPS: Always enforce HTTPS for SAS tokens.
Revoke SAS when no longer needed: Although SAS tokens expire, you can revoke them sooner by resetting the account access keys (this will invalidate all SAS tokens).
Be cautious with account-level SAS: These grant broader permissions than service-level SAS.

Next Steps

Configure anonymous read access for public containers.
Explore Azure Active Directory authentication for more robust security.
Learn about managing access policies for containers.