This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can trysigning in orchanging directories.
Access to this page requires authorization. You can trychanging directories.
A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.
Every SAS is signed with a key. You can sign a SAS in one of two ways:
Note
A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, seeGrant limited access to data with shared access signatures (SAS).
This article shows how to use the storage account key to create a service SAS for a container or blob with the Blob Storage client library for Python.
A service SAS is signed with the storage account access key. A service SAS delegates access to a resource in a single Azure Storage service, such as Blob Storage.
You can also use a stored access policy to define the permissions and duration of the SAS. If the name of an existing stored access policy is provided, that policy is associated with the SAS. To learn more about stored access policies, seeDefine a stored access policy. If no stored access policy is provided, the code examples in this article show how to define permissions and duration for the SAS.
You can create a service SAS for a container or blob, based on the needs of your app.
You can create a service SAS to delegate limited access to a container resource using the following method:
The storage account access key used to sign the SAS is passed to the method as theaccount_key argument. Allowed permissions are passed to the method as thepermission argument, and are defined in theContainerSasPermissions class.
The following code example shows how to create a service SAS with read permissions for a container resource:
def create_service_sas_container(self, container_client: ContainerClient, account_key: str): # Create a SAS token that's valid for one day, as an example start_time = datetime.datetime.now(datetime.timezone.utc) expiry_time = start_time + datetime.timedelta(days=1) sas_token = generate_container_sas( account_name=container_client.account_name, container_name=container_client.container_name, account_key=account_key, permission=ContainerSasPermissions(read=True), expiry=expiry_time, start=start_time ) return sas_tokenYou can use a service SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.
The following code example shows how to use the service SAS created in the earlier example to authorize aContainerClient object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.
# The SAS token string can be appended to the resource URL with a ? delimiter# or passed as the credential argument to the client constructorsas_url = f"{container_client.url}?{sas_token}"# Create a ContainerClient object with SAS authorizationcontainer_client_sas = ContainerClient.from_container_url(container_url=sas_url)To learn more about using the Azure Blob Storage client library for Python, see the following resources.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?
Was this page helpful?
Want to try using Ask Learn to clarify or guide you through this topic?