Azure - What is a Shared Access Signature (SAS)
A Shared Access Signature (SAS) is a secure, time-limited URL token that gives restricted access to Azure Storage resources (like blobs, files, queues, or tables) without exposing your account key.
It allows you to grant fine-grained, temporary permissions (e.g., read-only access to a single blob) to clients like:
-
Users
-
Mobile apps
-
Third-party services
-
Automation scripts
📦 What Can a SAS Grant Access To?
| Service | Examples |
|---|---|
| Blob Storage | Download/upload specific blobs or containers |
| File Storage | Share or mount specific directories |
| Queue Storage | Add or read queue messages |
| Table Storage | Insert, query, or delete rows |
🔁 SAS Token Structure
A SAS URL looks like this:
It includes:
-
sv: service version -
se: expiry time -
sp: permissions (e.g., r for read, w for write) -
sig: the signature (hash using account key or user delegation key)
🧠 Types of SAS
| Type | Description |
|---|---|
| Account SAS | Grants access to multiple services (blob, file, queue, table) in a storage account |
| Service SAS | Grants access to a specific resource (e.g., one blob) |
| User Delegation SAS | Uses Azure AD credentials instead of account key (more secure) |
🔧 Example: Generate a SAS to Download a Blob
With Azure CLI:
This generates a SAS token. Append it to the blob URL:
Now, anyone with this link can download the file until it expires.
✅ Benefits of SAS
| Benefit | Description |
|---|---|
| ✅ No need to share storage keys | More secure and revocable |
| ⏰ Time-limited | Automatically expires |
| 🔐 Granular permissions | Read, write, delete, list — per resource |
| 🧠 Useful for public or temporary access | Download links, temp upload areas, etc. |
⚠️ Security Considerations
| Risk | Mitigation |
|---|---|
| 🌍 SAS can be shared | Use short expiry + IP restrictions |
| 🔐 Exposes access if leaked | Regenerate keys or use Azure AD (User Delegation SAS) |
| 🧹 Hard to track usage | Log access via storage analytics or diagnostic settings |
No comments: