Shared Access Signatures (SAS) for Azure Blob Storage

Understanding Shared Access Signatures (SAS) for Blob Storage

Shared Access Signatures (SAS) provide a secure way to grant limited access to objects in your Azure Storage accounts, such as blobs, without needing to share your account access keys.

What is a Shared Access Signature?

A SAS is a URI that contains a security token in its query string. This token allows specific access permissions to a resource for a specific period of time. SAS tokens can be used for:

Granting limited access to blobs to a client application without having your storage account keys.
Granting time-limited access to a blob, allowing users to download or upload data within a specified window.
Granting specific permissions (e.g., read, write, delete) to a blob.

Types of SAS

Azure Storage offers two types of SAS:

Service SAS: Delegates access to blobs, queues, tables, or files, but not to the storage account itself. Service SAS is generated from the account access key.
Account SAS: Delegates access to one or more storage resources. It can grant access to any of the storage resources that a service SAS can access. An account SAS is signed with the storage account's key.

Creating a SAS

You can create a SAS using the following methods:

Azure Portal: Navigate to the blob or container, and select "Generate SAS" from the actions menu.
Azure Storage Explorer: Provides a user-friendly interface for generating SAS tokens.
Azure SDKs: Programmatically generate SAS tokens using the Azure Storage SDKs for various programming languages.
Azure CLI and PowerShell: Command-line tools for generating SAS tokens.

Example of a SAS URI (Service SAS for a blob)

A typical SAS URI looks like this:

https://myaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2020-08-04&ss=b&srt=sco&sp=r&se=2023-12-31T12:00:00Z&st=2023-12-31T10:00:00Z&spr=https&sig=aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890abcDEF==

Here's a breakdown of common SAS parameters:

sv: Signed Services (e.g., b for blobs)
ss: Signed Version (e.g., b for blob)
srt: Signed Resource Types (e.g., sco for service, container, object)
sp: Permissions (e.g., r for read, w for write, d for delete)
se: Expiration date and time (UTC)
st: Start date and time (UTC)
spr: Protocol (e.g., https or https,http)
sig: Signature

Important: Always use HTTPS for SAS tokens to ensure secure communication.

Permissions

When creating a SAS, you can specify the following permissions:

Read (r): Allows reading of blob data and properties.
Write (w): Allows writing of blob data and properties.
Delete (d): Allows deleting of blobs.
List (l): Allows listing of blobs within a container.
Add (a): Allows adding new blobs.
Create (c): Allows creating new blobs.
Process (p): Allows processing blob data (e.g., for append blobs).
Permanent Delete (t): Allows permanent deletion of blobs.
Tag (g): Allows reading and writing blob tags.

SAS Security Best Practices

Grant the least privilege necessary.
Specify a start and expiry time.
Revoke SAS if compromised.
Prefer SAS over account keys when possible.
For service SAS, use the account key. For account SAS, use the storage account name and key.

Tip: Consider using Azure Key Vault to securely store and manage your storage account keys, which are used to generate SAS tokens.

Key Differences: SAS vs. Shared Key Authorization

Shared Key authorization uses your storage account access keys to authenticate requests. SAS provides a more granular and time-limited approach to access, reducing the risk associated with sharing full access keys.

Learn More

For in-depth information and advanced scenarios, refer to the official Azure Storage documentation: