Shared Access Signature (SAS) in Azure

A shared access signature (SAS) is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. 

Here, the token plays an important part, it indicates how the resources might be accessed by the client. Signature query parameters (sig) is constructed from the SAS parameters and signed with the key that was used to create the SAS. This signature is used by Azure Storage to authorize access to the storage resource.


Azure Storage supports three types of SAS:

User delegation SAS
Secured with Microsoft Entra credentials and also by the permissions specified for the SAS. Applies to Blob storage only.

Service SAS
Secured with the storage account key. A service SAS delegates access to a resource in the following Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

Account SAS
Secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services.


** Use of Microsoft Entra credentials as a security best practice.

Example

Single URI: https://tradingsnasdaq.blob.core.windows.net/sock-images/stock-116139-nq8z7f.jpg?sp=r&st=2022-05-20T11:11:28Z&se=2022-05-21T20:11:28Z&spr=https&sv=2020-02-02&sr=b&sig=TgQ2HFSDDSb6MbRzTbXCaPm%2BJiSEn15tJ44Y4umMPwVZs%3D

URL Part: https://tradingsnasdaq.blob.core.windows.net/sock-images/stock-116139-nq8z7f.jpg?

SAS Token Part: sp=r&st=2022-05-20T11:11:28Z&se=2022-05-21T20:11:28Z&spr=https&sv=2020-02-02&sr=b&sig=TgQ2HFSDDSb6MbRzTbXCaPm%2BJiSEn15tJ44Y4umMPwVZs%3D


In Details

sp => Represents access rights. Like a for add, c for create, d for delete, l for list, r for read, and w for write. Example sp=acdlrw grants all the available rights.


st => Access start date and time

se => Access end date and time

sv => Storage API version

spr => Access protocol

sr => type of storage being accessed. Like b mean Blob storage

sig => cryptographic signature



Use Case (when to use) - When your users wants to read and write their own data to your storage - SAS can be useful service here.

Additionally, a SAS is required to authorize access to the source object in a copy operation in certain scenarios:

  • When you copy a blob to another blob that resides in a different storage account, you must use a SAS to authorize access to the source blob. You can optionally use a SAS to authorize access to the destination blob as well.

  • When you copy a file to another file that resides in a different storage account, you must use a SAS to authorize access to the source file. You can optionally use a SAS to authorize access to the destination file as well.

  • When you copy a blob to a file, or a file to a blob, you must use a SAS to authorize access to the source object, even if the source and destination objects reside within the same storage account.

Comments

Popular posts from this blog

How to fix Azure DevOps error MSB4126

How to create Custom Visuals in Power BI – Initial few Steps

Entity Framework common error - no such table: __EFMigrationsHistory + ConnectionString property has not been initialized + certificate chain was issued by an authority that is not trusted