Create an account SAS with Java

A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

Every SAS is signed with a key. You can sign a SAS in one of two ways:

  • With a key created using Microsoft Entra credentials. A SAS that is signed with Microsoft Entra credentials is a user delegation SAS. A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. To learn more, see Create a user delegation SAS.
  • With the storage account key. Both a service SAS and an account SAS are signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned the Microsoft.Storage/storageAccounts/listkeys/action permission. To learn more, see Create a service SAS or Create an account SAS.

Note

A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see Grant limited access to data with shared access signatures (SAS).

This article shows how to use the storage account key to create an account SAS with the Azure Storage client library for Java.

About the account SAS

An account SAS is created at the level of the storage account, and is signed with the account access key. By creating an account SAS, you can:

  • Delegate access to service-level operations that aren't currently available with a service-specific SAS, such as Get Blob Service Properties, Set Blob Service Properties and Get Blob Service Stats.
  • Delegate access to more than one service in a storage account at a time. For example, you can delegate access to resources in both Azure Blob Storage and Azure Files by using an account SAS.

Stored access policies aren't supported for an account SAS.

Set up your project

To work with the code examples in this article, add the following import directives:

import com.azure.storage.blob.*;
import com.azure.storage.blob.models.*;
import com.azure.storage.blob.sas.*;
import com.azure.storage.common.sas.AccountSasPermission;
import com.azure.storage.common.sas.AccountSasResourceType;
import com.azure.storage.common.sas.AccountSasService;
import com.azure.storage.common.sas.AccountSasSignatureValues;

Create an account SAS

You can create an account SAS to delegate limited access to storage account resources using the following method:

To configure the signature values for the account SAS, use the following helper classes:

  • AccountSasPermission: Represents the permissions allowed by the SAS. In our example, we set the read permission to true.
  • AccountSasService: Represents the services accessible by the SAS. In our example, we allow access to the Blob service.
  • AccountSasResourceType: Represents the resource types accessible by the SAS. In our example, we allow access to service-level APIs.

Once the helper classes are configured, you can initialize parameters for the SAS with an AccountSasSignatureValues instance.

The following code example shows how to configure SAS parameters and call the generateAccountSas method to get the account SAS:

public String createAccountSAS(BlobServiceClient blobServiceClient) {
    // Configure the SAS parameters
    OffsetDateTime expiryTime = OffsetDateTime.now().plusDays(1);
    AccountSasPermission accountSasPermission = new AccountSasPermission()
            .setReadPermission(true);
    AccountSasService services = new AccountSasService()
            .setBlobAccess(true);
    AccountSasResourceType resourceTypes = new AccountSasResourceType()
            .setService(true);

    // Generate the account SAS
    AccountSasSignatureValues accountSasValues = new AccountSasSignatureValues(
        expiryTime,
        accountSasPermission,
        services,
        resourceTypes);
    String sasToken = blobServiceClient.generateAccountSas(accountSasValues);

    return sasToken;
}

Use an account SAS from a client

The following code example shows how to use the account SAS created in the earlier example to authorize a BlobServiceClient object. This client object can then be used to access service-level APIs based on the permissions granted by the SAS.

First, create a BlobServiceClient object signed with the account access key:

String accountName = "<account-name>";
String accountKey = "<account-key>";
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, accountKey);
        
BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
        .endpoint(String.format("https://%s.blob.core.windows.net/", accountName))
        .credential(credential)
        .buildClient();

Then, generate the account SAS as shown in the earlier example and use the SAS to authorize a BlobServiceClient object:

// Create a SAS token
String sasToken = createAccountSAS(blobServiceClient);

// Create a new BlobServiceClient using the SAS token
BlobServiceClient sasServiceClient = new BlobServiceClientBuilder()
        .endpoint(blobServiceClient.getAccountUrl())
        .sasToken(sasToken)
        .buildClient();

You can also use an account SAS to authorize and work with a BlobContainerClient object or BlobClient object, if those resource types are granted access as part of the signature values.

Resources

To learn more about creating an account SAS using the Azure Blob Storage client library for Java, see the following resources.

Code samples

Client library resources

See also