Delegating Access with a Shared Access Signature
Updated: August 4, 2015
A shared access signature is a URI that grants restricted access rights to containers, blobs, queues, tables, shares, and files. You can provide a shared access signature to clients who should not be trusted with your storage account key but to whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you can grant them access to a resource for a specified period of time, with a specified set of permissions.
The shared access signature URI query parameters incorporate all of the information necessary to grant controlled access to a storage resource. The URI query parameters specify the time interval over which the shared access signature is valid, the permissions that it grants, the resource that is to be made available, and the signature that the storage services should use to authenticate the request. For details on how the shared access signature is constructed, see Constructing the Shared Access Signature URI. For examples of shared access signatures, see Examples of Shared Access Signatures.
Additionally, the shared access signature URI can reference a stored access policy that provides an additional level of control over a set of signatures, including the ability to modify or revoke access to the resource if necessary. For more information on stored access policies, see Establishing a Stored Access Policy.