In Azure to provide someone access you can either share them your Storage Key, and provide them the permission to even delete your valuable data, or provide them limited access based upon the requirement.

For providing limited set of permissions, SAS token is used. This is basically a key to your storage having some set of permissions and also the validity of this key.

To generate one using Portal, go to your Storage Account and then uner the setting tab is the option of “Shared access signature”.

Once here you can select the specific set of permissions and click “Generate SAS and connection string”

It will generate the SAS token for you, for the above options for me I have got the below SAS token.

?sv=2019-12-12&ss=b&srt=o&sp=rwdlacx&se=2020-08-24T13:22:19Z& st=2020-08-24T05:22:19Z& spr=https& sig=%2Fc4wZ55b6TM92e5eNdfdsfsdeEjhhDkNGFZOhMlqs%3D

Breaking the SAS down

The SAS token as above is made of different sections and all the details about the permissions, signature and the other information.

sv=2019-12-12 : Storage service version, this is the storage Service version.

ss=b : Signed services, based upon the allowed services chosen it could be b(Blob), f(File), q(Queue) and t(Table).

srt=o : Signed resource types, they are all the allowed resource types and could be s(Service), c(Container), o(Object).

sp=rwdlacx : Signed permissions, these are permissions that you have provided and could be r(Read), w(Write), d(Delete), l(List), a(Add), c(Create), u(Update). p(Process) and x if you have chosen to enables the deletion of versions.

se=2020-08-24T13:22:19Z : Signed expiry, the time at which this token will expire

st=2020-08-24T05:22:19Z : Signed start, the time from which this token is valid.

spr=https : Signed protocol, these are the protocols which are allowed. Could be https or https,http.

sig=%2Fc4wZ55b6TM92e5eNdfdsfsdeEjhhDkNGFZOhMlqs%3D : Signature, this is the signature to verify the identity.