Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Delegating Access with a Shared Access Signature

Updated: February 26, 2015

A shared access signature is a URI that grants restricted access rights to containers, blobs, queues, and tables. You can provide a shared access signature to clients who should not be trusted with your storage account key but to whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you can grant them access to a resource for a specified period of time, with a specified set of permissions.

A shared access signature can grant any of the following operations to a client that possesses the signature:

  • Reading and writing page or block blob content, block lists, properties, and metadata

  • Deleting, leasing, and creating a snapshot of a blob

  • Listing the blobs within a container

  • Adding, removing, updating, and deleting queue messages (in version 2012-02-12 and newer)

  • Getting queue metadata, including the message count (in version 2012-02-12 and newer)

  • Querying, adding, updating, deleting, and upserting table entities (in version 2012-02-12 and newer)

  • Copying to a blob from another blob within the same account (in version 2013-08-15 and newer)

The shared access signature URI query parameters incorporate all of the information necessary to grant controlled access to a storage resource. The URI query parameters specify the time interval over which the shared access signature is valid, the permissions that it grants, the resource that is to be made available, and the signature that the storage services should use to authenticate the request. For details on how the shared access signature is constructed, see Constructing the Shared Access Signature URI. For examples of shared access signatures, see Examples of Shared Access Signatures.

Additionally, the shared access signature URI can reference a stored access policy that provides an additional level of control over a set of signatures, including the ability to modify or revoke access to the resource if necessary. For more information on stored access policies, see Establishing a Stored Access Policy and Use a Stored Access Policy.

See Also

© 2015 Microsoft