HomeIdentity Security Encyclopedia › SAS Token

SAS Token

Shared Access Signature

A Shared Access Signature (SAS) token is an Azure security token that grants limited, time-bound access rights to specific Azure Storage resources — without exposing the account key directly.

Cloud Azure NHI Token

❓ What is SAS Token?

A Shared Access Signature (SAS) token is an Azure security token that grants limited, time-bound access rights to specific Azure Storage resources — without exposing the account key directly.

⚙️ How Does It Work?

SAS tokens are generated from the storage account key and encode the permitted operations, resource scope, and expiry time into a signed URL or header. The token grants exactly the permissions specified — no more, no less.

📍 Where Is It Used?

Azure Blob Storage, Queue Storage, Table Storage — anywhere applications or external parties need temporary, scoped access to Azure storage resources.

💡 Real-World Example

A media company generates time-limited SAS tokens (valid 24 hours) to allow customers to download purchased video files from Azure Blob Storage. The tokens grant only read access to the specific file path. When the token expires, the download link stops working automatically.

🔗 Related Terms

Cloud Identity Azure Managed Identity Least Privilege Non-Human Identity
← Ransomware and IdentitySecret Rotation →

Stay Ahead in Identity Security

Get weekly IAM, PAM & IGA insights delivered to your inbox via Identity Pulse.

Subscribe to Identity Pulse →
Scroll to top