Shared Access Signature
A Shared Access Signature (SAS) token is an Azure security token that grants limited, time-bound access rights to specific Azure Storage resources — without exposing the account key directly.
⚙️ How Does It Work?
SAS tokens are generated from the storage account key and encode the permitted operations, resource scope, and expiry time into a signed URL or header. The token grants exactly the permissions specified — no more, no less.
📍 Where Is It Used?
Azure Blob Storage, Queue Storage, Table Storage — anywhere applications or external parties need temporary, scoped access to Azure storage resources.
💡 Real-World Example
A media company generates time-limited SAS tokens (valid 24 hours) to allow customers to download purchased video files from Azure Blob Storage. The tokens grant only read access to the specific file path. When the token expires, the download link stops working automatically.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →