Explaining Azure SAS Tokens
An Azure Shared Access Signature (SAS) authorization token is used to grant limited, time-bound access to Azure resources without sharing the account key.
Purpose:
It allows clients to perform specific actions (like read, write, or delete) on Azure resources such as:
- Blob storage
- File shares
- Queues
- Tables
What's in a SAS token:
- Resource URI
- Permissions (e.g.,
rfor read,wfor write) - Start and expiry time
- Optional IP or protocol restrictions
- Signature (generated using the account key)
Example Use Case:
You want to let a user download a file from Azure Blob Storage for 15 minutes without giving them the storage account key — you generate a SAS URL with read permission and a 15-minute expiry.
Benefits:
- Fine-grained access control
- Temporary access
- No need to expose long-term credentials
Use of HTTP Authorization Header
When using an Azure SAS (Shared Access Signature) token for authentication, you do *not* use the Authorization header.
Instead, the SAS token is appended to the request URL as query parameters.
Example of a request using a SAS token:
GET https://mystorageaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2023-11-03&ss=b&srt=sco&sp=r&se=2024-07-01T00:00:00Z&st=2024-06-01T00:00:00Z&spr=https&sig=abc123...
In this case:
- The entire SAS token (starting from
?sv=...) is part of the URL. - No
Authorizationheader is required.
If You Use an Authorization Header:
- It will be ignored unless you're using Azure AD token-based authentication, which is a different method.
Summary:
| Authentication Method | Usage of Authorization Header |
|---|---|
| SAS Token | *Do not use it* — include in URL |
| Azure AD Token | Authorization: Bearer <token> |