Shared Access Signatures (SAS)

1. Shared Access Signatures (SAS)

Microsoft Entra ID manages who can access your apps and what they can do. But sometimes, you need to share a file or folder without signing someone in. That’s where Shared Access Signatures help. Now, let’s see how SAS enables secure, flexible sharing.

2. What is a shared access signature?

A Shared Access Signature, lets you grant limited access to Azure Storage resources without exposing your account key.

3. Analogy: SAS as a vending token

Think of it like getting a vending machine token that’s valid for the next 30 seconds and lets you pick only a Coca-Cola.

4. How a SAS is secured?

The token is signed using your storage key or Microsoft Entra credentials, depending on the SAS type.

5. Types of SAS

There are three types of SAS, each with different use cases and security levels. First, User Delegation SAS is the most secure. It uses Microsoft Entra credentials and works only with Blob and Data Lake Storage. Think of it as a personal token that grants access to a specific resource. Next, Service SAS uses the storage account key and grants access to a single service, like blobs, queues, or files. Imagine it as a ticket valid for one service only. Finally, Account SAS also uses the account key and allows access across multiple services and can perform service-level operations. It’s like a master pass, giving access to multiple areas at once.

6. Real-world scenario

Let’s explore a real-world example to understand SAS. PeopleSphere, our HR app, needs to share payroll reports with an external auditor. To do this safely, it uses a User Delegation SAS, which grants temporary access. The auditor can view only the specific payroll reports they need, and the access automatically expires after a set time. The SAS is securely authenticated using PeopleSphere’s Azure credentials, so sensitive account keys are never exposed.

7. Understanding SAS structure

Now, let’s break down how a Shared Access Signature really works. It starts with a URI pointing to your storage resource, such as a blob or file. Appended to this URI is the SAS token: a string of key value pairs that define access.

8. Token components

First is `sp`, which sets permissions like read or write. Then, `st` and `se` define the valid time window. Then, `spr` that tells the allowed protocol. `sr` indicates the type of resource, such as "b" for blob. `sv` refers to the storage API version in use. And finally, `sig` is the cryptographic signature Azure uses to verify the request.

9. Best practices for using SAS

Now, let’s make your SAS usage safer! Always use HTTPS as it encrypts the token to prevent interception. Prefer User Delegation SAS for better security as it avoids storing keys. Keep expirat ion short, so leaked tokens can’t last long. And Only give the permissions you truly need. If it feels risky, skip SAS altogether and use a secure backend.

10. Let's practice!

You've got the knowledge, now let's dive into some hands-on practice.

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.

Implement Azure Security for Developers

IntermediateSkill Level

5.0+

4 reviews