How to Use Shared Access Signature in Azure: Simple Guide
A
Shared Access Signature (SAS) in Azure lets you grant limited access to storage resources without sharing your account keys. You create a SAS token specifying permissions, resource, and expiry, then use it in URLs or API calls to securely access Azure Storage.Syntax
A Shared Access Signature (SAS) token has this general format:
https://<storage-account>.blob.core.windows.net/<container>/<blob>?sv=<version>&ss=<services>&srt=<resource-types>&sp=<permissions>&se=<expiry-time>&st=<start-time>&spr=<protocol>&sig=<signature>
Explanation of parts:
- sv: Storage service version
- ss: Services accessible (blob, file, queue, table)
- srt: Resource types (service, container, object)
- sp: Permissions (read, write, delete, list, etc.)
- se: Expiry time (UTC)
- st: Start time (optional, UTC)
- spr: Allowed protocols (https/http)
- sig: Signature string generated from your key
This token is appended to resource URLs to grant limited access.
none
https://mystorageaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2023-04-01&ss=b&srt=o&sp=rl&se=2024-06-30T12:00:00Z&st=2024-06-30T08:00:00Z&spr=https&sig=signaturestringExample
This example shows how to create a SAS token for a blob container using Azure SDK for Python and then use it to list blobs.
python
from azure.storage.blob import BlobServiceClient, generate_container_sas, ContainerSasPermissions from datetime import datetime, timedelta # Your storage account name and key account_name = "mystorageaccount" account_key = "your_account_key" container_name = "mycontainer" # Generate SAS token valid for 1 hour with read and list permissions sas_token = generate_container_sas( account_name=account_name, container_name=container_name, account_key=account_key, permission=ContainerSasPermissions(read=True, list=True), expiry=datetime.utcnow() + timedelta(hours=1) ) # Create BlobServiceClient using SAS token blob_service_client = BlobServiceClient( account_url=f"https://{account_name}.blob.core.windows.net", credential=sas_token ) # List blobs in the container container_client = blob_service_client.get_container_client(container_name) print("Blobs in container:") for blob in container_client.list_blobs(): print(f"- {blob.name}")
Output
Blobs in container:
- file1.txt
- image.png
- data.csv
Common Pitfalls
- Using expired SAS tokens: Always check the expiry time; expired tokens will cause access failures.
- Overly broad permissions: Grant only the permissions needed to reduce security risks.
- Not specifying start time: If start time is in the future, token won't work until then.
- Using account keys directly: Avoid sharing account keys; use SAS tokens for limited access.
python
## Wrong: Using SAS token without setting expiry sas_token = generate_container_sas( account_name=account_name, container_name=container_name, account_key=account_key, permission=ContainerSasPermissions(read=True) # Missing expiry argument ) ## Right: Always set expiry sas_token = generate_container_sas( account_name=account_name, container_name=container_name, account_key=account_key, permission=ContainerSasPermissions(read=True), expiry=datetime.utcnow() + timedelta(hours=1) )
Quick Reference
Remember these tips when using SAS tokens:
- Set a short expiry time to limit risk.
- Grant only needed permissions (read, write, list, delete).
- Use HTTPS only by setting
spr=https. - Use SDKs to generate SAS tokens safely.
- Never share your storage account keys publicly.
Key Takeaways
Use Shared Access Signature (SAS) tokens to grant limited, time-bound access to Azure Storage resources.
Always specify expiry time and minimal permissions when creating SAS tokens for security.
Use Azure SDKs to generate SAS tokens safely instead of manually crafting URLs.
Avoid sharing your storage account keys; SAS tokens provide safer access control.
Check token start and expiry times to avoid access errors.