A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. It allows clients to access storage resources without the account access keys. SAS tokens are particularly useful for delegating access to your storage account to applications or users that require temporary access, or for providing access to specific blob objects.
There are two types of SAS:
- Service SAS: Signed with the storage account key. This provides delegated access to blobs, queues, tables, or files.
- Account SAS: Signed with the storage account key. This provides delegated access to all blob, queue, table, and file resources within that storage account.
Why Use SAS?
SAS provides a secure and granular way to:
- Delegate access to specific resources (e.g., a single blob) without sharing your account keys.
- Grant read-only, write, delete, or list permissions.
- Specify an expiration time for the access, minimizing security risks.
- Allow access from specific IP addresses or referrers.
Creating a SAS
You can create SAS tokens using:
- Azure portal
- Azure CLI
- Azure PowerShell
- Azure Storage SDKs
- REST API
Using the Azure Portal
The Azure portal provides a user-friendly interface to generate SAS tokens for individual blobs or containers. Navigate to your storage account, then to the blob container, select the blob, and click "Generate SAS". You can configure permissions, start and expiry dates/times, and allowed IP addresses/referrers.
Using Azure CLI
Here's an example of generating a blob SAS using Azure CLI:
az storage blob generate-sas \
--account-name mystorageaccount \
--container-name mycontainer \
--name myblob.txt \
--permissions rwdl \
--expiry 2024-12-31T14:00:00Z \
--as-user
This command generates a SAS token for blob myblob.txt with read (r), write (w), delete (d), and list (l) permissions, expiring on December 31, 2024.
SAS URI Structure
A SAS token is appended to the URI of the storage resource. The structure of a SAS URI is:
https://{storage_account_name}.blob.core.windows.net/{container_name}/{blob_name}?{SAS_token}The {SAS_token} itself contains several key-value pairs, including:
sv: Signed versionss: Signed servicesrt: Signed resource typessp: Permissionsse: Expiryst: Start timesip: IPsr: Resourcesig: Signature
SAS Permissions
The following permissions can be granted for blobs:
| Permission | Description |
|---|---|
r (Read) |
Allows reading blob properties, metadata, and content. |
w (Write) |
Allows writing blob content and properties, including creating or overwriting a blob. |
d (Delete) |
Allows deleting a blob. |
l (List) |
Allows listing blobs within a container. (Generally applies to container SAS). |
a (Add) |
Allows adding new blocks to a block blob. |
c (Create) |
Allows creating a blob. |
p (Process) |
Allows processing blob data. |
SAS with IP Restrictions
You can restrict SAS access to specific IP addresses or ranges for enhanced security.
az storage blob generate-sas \
--account-name mystorageaccount \
--container-name mycontainer \
--name myimage.jpg \
--permissions r \
--expiry 2024-12-31T15:00:00Z \
--ip "203.0.113.10"
This SAS will only be valid when accessed from the IP address 203.0.113.10.
Best Practices for SAS
- Grant the least privilege necessary: Only include permissions that the client application truly needs.
- Set an expiration date/time: Always set an expiry for your SAS to limit the window of potential misuse.
- Use SAS for specific resources: Prefer granting access to individual blobs or containers rather than the entire storage account where possible.
- Use HTTPS: Always use HTTPS for SAS URIs.
- Be mindful of IP restrictions: Use IP restrictions when possible to further limit access.
- Do not embed SAS tokens in client-side code: Generate SAS tokens on the server-side and pass them to clients.