You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-sas-overview.md
+14-13Lines changed: 14 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -58,7 +58,6 @@ For more information about the account SAS, [Create an account SAS (REST API)](/
58
58
A shared access signature can take one of the following two forms:
59
59
60
60
-**Ad hoc SAS**. When you create an ad hoc SAS, the start time, expiry time, and permissions are specified in the SAS URI. Any type of SAS can be an ad hoc SAS.
61
-
62
61
-**Service SAS with stored access policy**. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the constraints—the start time, expiry time, and permissions—defined for the stored access policy.
63
62
64
63
> [!NOTE]
@@ -90,7 +89,7 @@ When a request includes a SAS token, that request is authorized based on how tha
90
89
The following table summarizes how each type of SAS token is authorized.
91
90
92
91
| Type of SAS | Type of authorization |
93
-
|-|-|
92
+
| --- | --- |
94
93
| User delegation SAS (Blob Storage and Data Lake Storage only) | Microsoft Entra ID |
95
94
| Service SAS | Shared Key |
96
95
| Account SAS | Shared Key |
@@ -128,24 +127,17 @@ Many real-world services may use a hybrid of these two approaches. For example,
128
127
129
128
Additionally, a SAS is required to authorize access to the source object in a copy operation in certain scenarios:
130
129
131
-
- When you copy a blob to another blob that resides in a different storage account.
132
-
133
-
You can optionally use a SAS to authorize access to the destination blob as well.
134
-
135
-
- When you copy a file to another file that resides in a different storage account.
130
+
- When you copy a blob to another blob that resides in a different storage account. You can optionally use a SAS to authorize access to the destination blob, as well.
136
131
137
-
You can optionally use a SAS to authorize access to the destination file as well.
132
+
- When you copy a file to another file that resides in a different storage account. You can optionally use a SAS to authorize access to the destination file, as well.
138
133
139
-
- When you copy a blob to a file, or a file to a blob.
140
-
141
-
You must use a SAS even if the source and destination objects reside within the same storage account.
134
+
- When you copy a blob to a file, or a file to a blob. You must use a SAS even if the source and destination objects reside within the same storage account.
142
135
143
136
## Best practices when using SAS
144
137
145
138
When you use shared access signatures in your applications, you need to be aware of two potential risks:
146
139
147
140
- If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
148
-
149
141
- If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.
150
142
151
143
The following recommendations for using shared access signatures can help mitigate these risks:
@@ -194,14 +186,23 @@ To get started with shared access signatures, see the following articles for eac
194
186
-[Create a user delegation SAS for a container or blob with PowerShell](../blobs/storage-blob-user-delegation-sas-create-powershell.md)
195
187
-[Create a user delegation SAS for a container or blob with the Azure CLI](../blobs/storage-blob-user-delegation-sas-create-cli.md)
196
188
-[Create a user delegation SAS for a container or blob with .NET](../blobs/storage-blob-user-delegation-sas-create-dotnet.md)
189
+
-[Create a user delegation SAS for a container or blob with Python](../blobs/storage-blob-user-delegation-sas-create-python.md)
190
+
-[Create a user delegation SAS for a container or blob with JavaScript](../blobs/storage-blob-user-delegation-sas-create-javascript.md)
191
+
-[Create a user delegation SAS for a container or blob with Java](../blobs/storage-blob-user-delegation-sas-create-java.md)
197
192
198
193
### Service SAS
199
194
200
-
-[Create a service SAS for a container or blob with .NET](../blobs/sas-service-create.md)
195
+
-[Create a service SAS for a container or blob with .NET](../blobs/sas-service-create-dotnet.md)
196
+
-[Create a service SAS for a container or blob with Python](../blobs/sas-service-create-python.md)
197
+
-[Create a service SAS for a container or blob with JavaScript](../blobs/sas-service-create-javascript.md)
198
+
-[Create a service SAS for a container or blob with Java](../blobs/sas-service-create-java.md)
201
199
202
200
### Account SAS
203
201
204
202
-[Create an account SAS with .NET](storage-account-sas-create-dotnet.md)
203
+
-[Create an account SAS with Python](storage-account-sas-create-python.md)
204
+
-[Create an account SAS with JavaScript](../blobs/storage-blob-account-delegation-sas-create-javascript.md)
205
+
-[Create an account SAS with Java](storage-account-sas-create-java.md)
0 commit comments