Create a service SAS for a container or blob with Python

Artikel
06/09/2024

A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

Every SAS is signed with a key. You can sign a SAS in one of two ways:

With a key created using Microsoft Entra credentials. A SAS that is signed with Microsoft Entra credentials is a user delegation SAS. A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. To learn more, see Create a user delegation SAS.
With the storage account key. Both a service SAS and an account SAS are signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned the Microsoft.Storage/storageAccounts/listkeys/action permission. To learn more, see Create a service SAS or Create an account SAS.

Nota

A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see Grant limited access to data with shared access signatures (SAS).

This article shows how to use the storage account key to create a service SAS for a container or blob with the Blob Storage client library for Python.

About the service SAS

A service SAS is signed with the storage account access key. A service SAS delegates access to a resource in a single Azure Storage service, such as Blob Storage.

You can also use a stored access policy to define the permissions and duration of the SAS. If the name of an existing stored access policy is provided, that policy is associated with the SAS. To learn more about stored access policies, see Define a stored access policy. If no stored access policy is provided, the code examples in this article show how to define permissions and duration for the SAS.

Create a service SAS

You can create a service SAS for a container or blob, based on the needs of your app.

Container
Blob

You can create a service SAS to delegate limited access to a container resource using the following method:

generate_container_sas

The storage account access key used to sign the SAS is passed to the method as the account_key argument. Allowed permissions are passed to the method as the permission argument, and are defined in the ContainerSasPermissions class.

The following code example shows how to create a service SAS with read permissions for a container resource:

Python

def create_service_sas_container(self, container_client: ContainerClient, account_key: str):
    # Create a SAS token that's valid for one day, as an example
    start_time = datetime.datetime.now(datetime.timezone.utc)
    expiry_time = start_time + datetime.timedelta(days=1)

    sas_token = generate_container_sas(
        account_name=container_client.account_name,
        container_name=container_client.container_name,
        account_key=account_key,
        permission=ContainerSasPermissions(read=True),
        expiry=expiry_time,
        start=start_time
    )

    return sas_token

You can create a service SAS to delegate limited access to a blob resource using the following method:

generate_blob_sas

The following code example shows how to create a service SAS with read permissions for a blob resource:

Python

def create_service_sas_blob(self, blob_client: BlobClient, account_key: str):
    # Create a SAS token that's valid for one day, as an example
    start_time = datetime.datetime.now(datetime.timezone.utc)
    expiry_time = start_time + datetime.timedelta(days=1)

    sas_token = generate_blob_sas(
        account_name=blob_client.account_name,
        container_name=blob_client.container_name,
        blob_name=blob_client.blob_name,
        account_key=account_key,
        permission=BlobSasPermissions(read=True),
        expiry=expiry_time,
        start=start_time
    )

    return sas_token

Use a service SAS to authorize a client object

You can use a service SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.

Container
Blob

The following code example shows how to use the service SAS created in the earlier example to authorize a ContainerClient object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.

Python

# The SAS token string can be appended to the resource URL with a ? delimiter
# or passed as the credential argument to the client constructor
sas_url = f"{container_client.url}?{sas_token}"

# Create a ContainerClient object with SAS authorization
container_client_sas = ContainerClient.from_container_url(container_url=sas_url)

The following code example shows how to use the service SAS created in the earlier example to authorize a BlobClient object. This client object can be used to perform operations on the blob resource based on the permissions granted by the SAS.

Python

# The SAS token string can be appended to the resource URL with a ? delimiter
# or passed as the credential argument to the client constructor
sas_url = f"{blob_client.url}?{sas_token}"

# Create a BlobClient object with SAS authorization
blob_client_sas = BlobClient.from_blob_url(blob_url=sas_url)

Resources

To learn more about using the Azure Blob Storage client library for Python, see the following resources.

Code samples

View code samples from this article (GitHub)

Kongsi melalui

Create a service SAS for a container or blob with Python

About the service SAS

Create a service SAS

Use a service SAS to authorize a client object

Resources

Code samples

Client library resources

See also

Maklum balas

Sumber tambahan