Create a service SAS for a container or blob with Java
A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.
Every SAS is signed with a key. You can sign a SAS in one of two ways:
- With a key created using Microsoft Entra credentials. A SAS that is signed with Microsoft Entra credentials is a user delegation SAS. A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. To learn more, see Create a user delegation SAS.
- With the storage account key. Both a service SAS and an account SAS are signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned the Microsoft.Storage/storageAccounts/listkeys/action permission. To learn more, see Create a service SAS or Create an account SAS.
Note
A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see Grant limited access to data with shared access signatures (SAS).
This article shows how to use the storage account key to create a service SAS for a container or blob with the Blob Storage client library for Java.
About the service SAS
A service SAS is signed with the account access key. You can use the StorageSharedKeyCredential class to create the credential that is used to sign the service SAS.
You can also use a stored access policy to define the permissions and duration of the SAS. If the name of an existing stored access policy is provided, that policy is associated with the SAS. To learn more about stored access policies, see Define a stored access policy. If no stored access policy is provided, the code examples in this article show how to define permissions and duration for the SAS.
Create a service SAS
You can create a service SAS for a container or blob, based on the needs of your app.
You can create a service SAS to delegate limited access to a container resource using the following method:
SAS signature values, such as expiry time and signed permissions, are passed to the method as part of a BlobServiceSasSignatureValues instance. Permissions are specified as a BlobContainerSasPermission instance.
The following code example shows how to create a service SAS with read permissions for a container resource:
public String createServiceSASContainer(BlobContainerClient containerClient) {
// Create a SAS token that's valid for 1 day, as an example
OffsetDateTime expiryTime = OffsetDateTime.now().plusDays(1);
// Assign read permissions to the SAS token
BlobContainerSasPermission sasPermission = new BlobContainerSasPermission()
.setReadPermission(true);
BlobServiceSasSignatureValues sasSignatureValues = new BlobServiceSasSignatureValues(expiryTime, sasPermission)
.setStartTime(OffsetDateTime.now().minusMinutes(5));
String sasToken = containerClient.generateSas(sasSignatureValues);
return sasToken;
}
Use a service SAS to authorize a client object
You can use a service SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.
The following code examples show how to use the service SAS to authorize a BlobContainerClient object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.
First, create a BlobServiceClient object signed with the account access key:
String accountName = "<account-name>";
String accountKey = "<account-key>";
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, accountKey);
BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
.endpoint(String.format("https://%s.blob.core.windows.net/", accountName))
.credential(credential)
.buildClient();
Then, generate the service SAS as shown in the earlier example and use the SAS to authorize a BlobContainerClient object:
// Create a SAS token
BlobContainerClient containerClient = blobServiceClient
.getBlobContainerClient("sample-container");
String sasToken = createServiceSASContainer(containerClient);
// Create a new BlobContainerClient using the SAS token
BlobContainerClient sasContainerClient = new BlobContainerClientBuilder()
.endpoint(containerClient.getBlobContainerUrl())
.sasToken(sasToken)
.buildClient();
Resources
To learn more about using the Azure Blob Storage client library for Java, see the following resources.