Delegating Access with a Shared Access Signature (REST API)
Updated: June 12, 2012
A shared access signature is a URI that grants restricted access rights to containers, blobs, queues, and tables. You can provide a shared access signature to clients who should not be trusted with your storage account key but to whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you can grant them access to a resource for a specified period of time, with a specified set of permissions.
A shared access signature can grant any of the following operations to a client that possesses the signature:
Reading and writing page or block blob content, block lists, properties, and metadata
Deleting, leasing, and creating a snapshot of a blob
Listing the blobs within a container
Adding, removing, updating, and deleting queue messages (in version 2012-02-12 and newer)
Getting queue metadata, including the message count (in version 2012-02-12 and newer)
Querying, adding, updating, deleting, and upserting table entities (in version 2012-02-12 and newer)
The shared access signature URI query parameters incorporate all of the information necessary to grant controlled access to a storage resource. The URI query parameters specify the time interval over which the shared access signature is valid, the permissions that it grants, the resource that is to be made available, and the signature that the storage services should use to authenticate the request. For details on how the shared access signature is constructed, see Constructing the Shared Access Signature URI (REST API). For examples of shared access signatures, see Examples of Shared Access Signatures (REST API).
Additionally, the shared access signature URI can reference a stored access policy that provides an additional level of control over a set of signatures, including the ability to modify or revoke access to the resource if necessary. For more information on stored access policies, see Establishing a Stored Access Policy (REST API) and Using a Stored Access Policy.