Blob Shared Access Signatures (SAS)

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A SAS token allows you to grant clients access to blobs and containers in your storage account without sharing your account access keys. This is a highly secure and flexible way to delegate access.

Understanding Shared Access Signatures

A SAS token is appended to the URI of a storage resource. This token contains a security token that is signed with the account's access key. Clients presenting the SAS token can then access the resource with the permissions granted by the token.

Types of Shared Access Signatures

There are two main types of SAS:

User Delegation SAS: This type of SAS is secured with Azure Active Directory (Azure AD) credentials. It provides a higher level of security as it does not rely on account access keys.
Account SAS: This type of SAS is signed with the storage account's access key. It can grant access to any resource in the storage account.

When to Use SAS

Granting temporary read/write access to specific blobs to a client application without requiring a storage account key.
Allowing users to upload files directly to Azure Blob Storage without going through your application's backend.
Delegating access to specific blobs for a limited time.

Creating a Shared Access Signature

You can create SAS tokens using the Azure Portal, Azure CLI, Azure PowerShell, or programmatically using the Azure Storage SDKs.

Using the Azure Portal

Navigate to your storage account, select the container or blob, and then choose the "Generate SAS" option. You can specify permissions, expiry time, and IP restrictions.

Using Azure CLI

The Azure CLI provides powerful commands for generating SAS tokens.


# Generate a user delegation SAS for a blob
az storage blob generate-sas \
    --account-name "yourstorageaccountname" \
    --container-name "yourcontainer" \
    --name "yourblob.txt" \
    --permission rwad \
    --expiry "2023-12-31T12:00:00Z" \
    --auth-mode login \
    --output tsv

# Generate an account SAS for a container
az storage account generate-sas \
    --account-name "yourstorageaccountname" \
    --services b \
    --resource-types c \
    --permissions rld \
    --expiry "2023-12-31T12:00:00Z" \
    --output tsv

Using Azure Storage SDKs

Most Azure SDKs provide methods to generate SAS tokens. Here's an example using Python:


# For user delegation SAS
from azure.storage.blob import BlobServiceClient, UserDelegationKey
from datetime import datetime, timedelta

connection_string = "YOUR_CONNECTION_STRING"
blob_service_client = BlobServiceClient.from_connection_string(connection_string)

container_client = blob_service_client.get_container_client("mycontainer")
blob_client = container_client.get_blob_client("myblob.txt")

# Get user delegation key
credential = blob_service_client.get_user_delegation_key(
    permission="read",
    expiry=datetime.utcnow() + timedelta(hours=1)
)

sas_token = blob_client.generate_user_delegation_sas(
    permission="r",
    expiry=datetime.utcnow() + timedelta(hours=1)
)

print(f"User Delegation SAS Token: {sas_token}")


# For account SAS
from azure.storage.blob import BlobServiceClient

connection_string = "YOUR_CONNECTION_STRING"
blob_service_client = BlobServiceClient.from_connection_string(connection_string)

sas_token = blob_service_client.generate_account_sas(
    resource_types="sco",  # Service, Container, Object
    permission="rl",      # Read, List
    expiry=datetime.utcnow() + timedelta(days=1)
)

print(f"Account SAS Token: {sas_token}")

SAS Token Components

A SAS token is appended to the resource URI and looks like this:

https://yourstorageaccount.blob.core.windows.net/yourcontainer/yourblob?sv=2020-08-04&ss=bfqt&srt=sco&sp=rwdlacupx&se=2023-12-31T12%3A00%3A00Z&st=2023-01-01T00%3A00%3A00Z&spr=https&sig=YOUR_SIGNATURE

Key components of the SAS token include:

sv (Signed Version): The version of the Blob service used to authorize the request.
ss (Signed Services): The services that the SAS grants access to (blob, file, queue, table).
srt (Signed Resource Types): The types of resources that the SAS grants access to (service, container, object).
sp (Signed Permissions): The permissions granted by the SAS (e.g., r for read, w for write, d for delete, l for list, a for add, c for create, u for update, p for process, x for ownership).
se (Signed Expiry): The date and time, in UTC, after which the SAS is no longer valid.
st (Signed Start): The date and time, in UTC, at which the SAS becomes valid.
spr (Signed Protocol): The protocol that must be used with the SAS (e.g., https).
sig (Signature): The signature used to authenticate the request.

Security Best Practices

Always use the shortest possible validity period for your SAS.
Grant only the necessary permissions.
Use IP restrictions or container-level SAS where possible.
For user delegation SAS, ensure your Azure AD identities are managed securely.

Common SAS Scenarios

Read-Only Access to a Blob

Granting temporary read access to a user without them needing any Azure credentials.


az storage blob generate-sas \
    --account-name "yourstorageaccount" \
    --container-name "public-data" \
    --name "report.pdf" \
    --permission r \
    --expiry "2024-01-15T10:00:00Z" \
    --output tsv

Upload Access to a Container

Allowing a client to upload new blobs to a specific container.


az storage blob generate-sas \
    --account-name "yourstorageaccount" \
    --container-name "uploads" \
    --permission ac \
    --expiry "2024-01-15T10:00:00Z" \
    --output tsv

Conclusion

Shared Access Signatures are a fundamental feature of Azure Storage for securely delegating access to your data. By understanding the different types of SAS, their components, and how to generate them, you can effectively control access to your blobs and containers.

For more advanced configurations and details, please refer to the official Azure Storage SAS documentation.