Shared access signatures (SAS) are a secure way to delegate access to Azure Storage resources. They provide a way to grant limited access to resources without having to expose storage account credentials.
There are three types of SAS:
- Account SAS: This type of SAS delegates access to resources in one or more of the storage services: Blob storage, Queue storage, Table storage, or Azure Files. For more information about the account SAS, see Create an account SAS.
- Service SAS: This type of SAS delegates access to a resource in just one of the storage services: Blob storage, Queue storage, Table storage, or Azure Files. For more information about the service SAS, see Create a service SAS (REST API).
- User delegation SAS: This type of SAS is secured with Azure Active Directory (AAD) credentials. It's supported for Blob Storage only, and you can use it to grant access to containers and blobs. For more information, see Create a user delegation SAS.
| SAS type | Access | Security |
|---|---|---|
| Account SAS | Most granular | Least secure |
| Service SAS | More granular | More secure |
| User delegation SAS | Most secure | Requires AAD credentials |
In general, you should use the most granular type of SAS that meets your needs. For example, if you need to grant access to a specific container in Blob storage, you should use a service SAS instead of an account SAS.
Here are some examples of how SAS can be used:
- Granting access to a specific container in Blob storage: You can use a service SAS to grant an application access to a specific container in Blob storage. This is useful for applications that need to read or write data from a specific container.
- Granting access to a specific queue in Queue storage: You can use a service SAS to grant an application access to a specific queue in Queue storage. This is useful for applications that need to enqueue or dequeue messages from a specific queue.
- Granting access to a specific table in Table storage: You can use a service SAS to grant an application access to a specific table in Table storage. This is useful for applications that need to read or write data from a specific table.
- Granting access to a specific file share in Azure Files: You can use a service SAS to grant an application access to a specific file share in Azure Files. This is useful for applications that need to read or write data from a specific file share.
SAS is a powerful tool that can be used to securely delegate access to Azure Storage resources. By using the right type of SAS, you can grant the specific level of access that your applications need.