Create an account SAS with Python
A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.
Every SAS is signed with a key. You can sign a SAS in one of two ways:
- With a key created using Microsoft Entra credentials. A SAS that is signed with Microsoft Entra credentials is a user delegation SAS. A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. To learn more, see Create a user delegation SAS.
- With the storage account key. Both a service SAS and an account SAS are signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned the Microsoft.Storage/storageAccounts/listkeys/action permission. To learn more, see Create a service SAS or Create an account SAS.
Note
A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see Grant limited access to data with shared access signatures (SAS).
This article shows how to use the storage account key to create an account SAS with the Azure Storage client library for Python.
An account SAS is created at the level of the storage account. By creating an account SAS, you can:
- Delegate access to service-level operations that aren't currently available with a service-specific SAS, such as Get Blob Service Properties, Set Blob Service Properties and Get Blob Service Stats.
- Delegate access to more than one service in a storage account at a time. For example, you can delegate access to resources in both Azure Blob Storage and Azure Files by using an account SAS.
Stored access policies aren't supported for an account SAS.
An account SAS is signed with the account access key. The following code example shows how to call the generate_account_sas method to get the account SAS token string.
def create_account_sas(self, account_name: str, account_key: str):
# Create an account SAS that's valid for one day
start_time = datetime.datetime.now(datetime.timezone.utc)
expiry_time = start_time + datetime.timedelta(days=1)
# Define the SAS token permissions
sas_permissions=AccountSasPermissions(read=True)
# Define the SAS token resource types
# For this example, we grant access to service-level APIs
sas_resource_types=ResourceTypes(service=True)
sas_token = generate_account_sas(
account_name=account_name,
account_key=account_key,
resource_types=sas_resource_types,
permission=sas_permissions,
expiry=expiry_time,
start=start_time
)
return sas_token
Valid parameters for the ResourceTypes constructor are:
- service: default is
False
; set toTrue
to grant access to service-level APIs. - container: default is
False
; set toTrue
to grant access to container-level APIs. - object: default is
False
; set toTrue
to grant access to object-level APIs for blobs, queue messages, and files.
For available permissions, see AccountSasPermissions.
To use the account SAS to access service-level APIs for the Blob service, create a BlobServiceClient object using the account SAS and the Blob Storage endpoint for your storage account.
# The SAS token string can be appended to the account URL with a ? delimiter
# or passed as the credential argument to the client constructor
account_sas_url = f"{blob_service_client.url}?{sas_token}"
# Create a BlobServiceClient object
blob_service_client_sas = BlobServiceClient(account_url=account_sas_url)
You can also use an account SAS to authorize and work with a ContainerClient object or BlobClient object, if those resource types are granted access as part of the signature values.
To learn more about creating an account SAS using the Azure Blob Storage client library for Python, see the following resources.