Azure Shared Access Signatures (SAS) is a way to provide secure access to resources in Azure, such as storage accounts, Azure Service Bus, and Azure Event Hubs, without exposing account keys or credentials.
A SAS token consists of a signed string that includes a resource URI, an expiry time, and a signature. The signature is generated using the account key or a user-delegated key and a set of parameters that define the level of access granted.
Here are some examples of how SAS can be used:
- Azure Storage Account:
Suppose you have an Azure Storage Account containing files that you want to share with a client for a limited time. You can generate a SAS token with read-only access to the container and files that you want to share. The client can use the SAS token to access the container and files without knowing the account key or credentials.
Here is an example of a SAS token for a container with read-only access that expires in 24 hours:
javascript
https://mystorageaccount.blob.core.windows.net/mycontainer?sv=2021-08-01&st=2023-03-08T16:32:11Z&se=2023-03-09T16:32:11Z&sr=c&sp=r&sig=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- Azure Service Bus:
Suppose you have an Azure Service Bus that you want to use to send messages to a queue or topic. You can generate a SAS token with send permission for a limited time. The token can be used to send messages to the queue or topic without exposing the connection string or credentials.
Here is an example of a SAS token with send permission that expires in 1 hour:
javascript
Endpoint=sb://my.servicebus.windows.net/;SharedAccessKeyName=mykeyname;SharedAccessKey=mykey;Signature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;ExpiresOn=1646833032
- Azure Event Hubs:
Suppose you have an Azure Event Hubs namespace that you want to use to send events to an event hub. You can generate a SAS token with send permission for a limited time. The token can be used to send events to the event hub without exposing the connection string or credentials.
Here is an example of a SAS token with send permission that expires in 1 hour:
javascript
Endpoint=sb://myeventhubsnamespace.servicebus.windows.net/;SharedAccessKeyName=mykeyname;SharedAccessKey=mykey;EntityPath=myeventhub;SharedAccessSignature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In summary, SAS provides a way to grant limited access to resources in Azure without exposing account keys or credentials. The access level and expiration time can be defined in the SAS token, which can be generated using the account key or a user-delegated key.
