shared access signature type of azure storage Delegate access by using a shared access signature
Shared access signature
A SAS lets you grant granular access to files in Azure Storage, such as read-only or read-write access, expiration time, after which the SAS no longer enables the client to access the chosen resources. A shared access signature is a key that grants permission to a storage resource, and should be protected in the same manner as an account key.
Azure Storage supports three types of shared access signatures:
- User delegation SAS: Can only be used for Blob storage and is secured with Microsoft Entra credentials.
- Service SAS: A service SAS is secured using a storage account key. A service SAS delegates access to a resource in any one of four Azure Storage services: Blob, Queue, Table, or File.
- Account SAS: An account SAS is secured with a storage account key. An account SAS has the same controls as a service SAS, but can also control access to service-level operations, such as Get Service Stats.
You can create a SAS ad-hoc by specifying all the options you need to control, including start time, expiration time, and permissions.
If you plan to create a service SAS, there's also an option to associate it with a stored access policy. A stored access policy can be associated with up to five active SASs. You can control access and expiration at the stored access policy level. This approach is good if you need to have granular control to change the expiration, or to revoke a SAS. The only way to revoke or change an ad-hoc SAS is to change the storage account keys.
Delegate access by using a shared access signature
A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who shouldn't be trusted with your storage account key but who need access to certain storage account resources. By distributing a SAS URI to these clients, you can grant them access to a resource for a specified period of time, with a specified set of permissions.
The URI query parameters that compose the SAS token incorporate all of the information necessary to grant controlled access to a storage resource. A client who has the SAS can make a request against Azure Storage by using just the SAS URI. The information in the SAS token is used to authorize the request.
Types of shared access signatures
Azure Storage supports the following types of shared access signatures:
-
An account SAS, introduced with version 2015-04-05. This type of SAS delegates access to resources in one or more of the storage services. All of the operations available via a service SAS are also available via an account SAS.
With the account SAS, you can delegate access to operations that apply to a service, such as
Get/Set Service PropertiesandGet Service Stats. You can also delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS.For more information, see Create an account SAS.
-
A service SAS. This type of SAS delegates access to a resource in just one of the storage services: Azure Blob Storage, Azure Queue Storage, Azure Table Storage, or Azure Files. For more information, see Create a service SAS and Service SAS examples.
-
A user delegation SAS, introduced with version 2018-11-09. This type of SAS is secured with Azure Active Directory credentials. It's supported for Blob Storage only, and you can use it to grant access to containers and blobs. For more information, see Create a user delegation SAS.
Additionally, a service SAS can reference a stored access policy that provides another level of control over a set of signatures. This control includes the ability to modify or revoke access to the resource if necessary. For more information, see Define a stored access policy.
There are three types of SAS:
- Account SAS: This type of SAS delegates access to resources in one or more of the storage services: Blob storage, Queue storage, Table storage, or Azure Files. For more information about the account SAS, see Create an account SAS.
- Service SAS: This type of SAS delegates access to a resource in just one of the storage services: Blob storage, Queue storage, Table storage, or Azure Files. For more information about the service SAS, see Create a service SAS (REST API).
- User delegation SAS: This type of SAS is secured with Azure Active Directory (AAD) credentials. It's supported for Blob Storage only, and you can use it to grant access to containers and blobs. For more information, see Create a user delegation SAS.
| SAS type | Access | Security |
|---|---|---|
| Account SAS | Most granular | Least secure |
| Service SAS | More granular | More secure |
| User delegation SAS | Most secure | Requires AAD credentials |
In general, you should use the most granular type of SAS that meets your needs. For example, if you need to grant access to a specific container in Blob storage, you should use a service SAS instead of an account SAS.
Here are some examples of how SAS can be used:
- Granting access to a specific container in Blob storage: You can use a service SAS to grant an application access to a specific container in Blob storage. This is useful for applications that need to read or write data from a specific container.
- Granting access to a specific queue in Queue storage: You can use a service SAS to grant an application access to a specific queue in Queue storage. This is useful for applications that need to enqueue or dequeue messages from a specific queue.
- Granting access to a specific table in Table storage: You can use a service SAS to grant an application access to a specific table in Table storage. This is useful for applications that need to read or write data from a specific table.
- Granting access to a specific file share in Azure Files: You can use a service SAS to grant an application access to a specific file share in Azure Files. This is useful for applications that need to read or write data from a specific file share.
SAS is a powerful tool that can be used to securely delegate access to Azure Storage resources. By using the right type of SAS, you can grant the specific level of access that your applications need.
