A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.
Every SAS is signed with a key. You can sign a SAS in one of two ways:
This article shows how to use the storage account key to create a service SAS for a container or blob with the Blob Storage client library for Java.
About the service SASA service SAS is signed with the account access key. You can use the StorageSharedKeyCredential class to create the credential that is used to sign the service SAS.
You can also use a stored access policy to define the permissions and duration of the SAS. If the name of an existing stored access policy is provided, that policy is associated with the SAS. To learn more about stored access policies, see Define a stored access policy. If no stored access policy is provided, the code examples in this article show how to define permissions and duration for the SAS.
Create a service SASYou can create a service SAS for a container or blob, based on the needs of your app.
You can create a service SAS to delegate limited access to a container resource using the following method:
SAS signature values, such as expiry time and signed permissions, are passed to the method as part of a BlobServiceSasSignatureValues instance. Permissions are specified as a BlobContainerSasPermission instance.
The following code example shows how to create a service SAS with read permissions for a container resource:
public String createServiceSASContainer(BlobContainerClient containerClient) {
// Create a SAS token that's valid for 1 day, as an example
OffsetDateTime expiryTime = OffsetDateTime.now().plusDays(1);
// Assign read permissions to the SAS token
BlobContainerSasPermission sasPermission = new BlobContainerSasPermission()
.setReadPermission(true);
BlobServiceSasSignatureValues sasSignatureValues = new BlobServiceSasSignatureValues(expiryTime, sasPermission)
.setStartTime(OffsetDateTime.now().minusMinutes(5));
String sasToken = containerClient.generateSas(sasSignatureValues);
return sasToken;
}
You can create a service SAS to delegate limited access to a blob resource using the following method:
SAS signature values, such as expiry time and signed permissions, are passed to the method as part of a BlobServiceSasSignatureValues instance. Permissions are specified as a BlobSasPermission instance.
The following code example shows how to create a service SAS with read permissions for a blob resource:
public String createServiceSASBlob(BlobClient blobClient) {
// Create a SAS token that's valid for 1 day, as an example
OffsetDateTime expiryTime = OffsetDateTime.now().plusDays(1);
// Assign read permissions to the SAS token
BlobSasPermission sasPermission = new BlobSasPermission()
.setReadPermission(true);
BlobServiceSasSignatureValues sasSignatureValues = new BlobServiceSasSignatureValues(expiryTime, sasPermission)
.setStartTime(OffsetDateTime.now().minusMinutes(5));
String sasToken = blobClient.generateSas(sasSignatureValues);
return sasToken;
}
You can use a service SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.
The following code examples show how to use the service SAS to authorize a BlobContainerClient object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.
First, create a BlobServiceClient object signed with the account access key:
String accountName = "<account-name>";
String accountKey = "<account-key>";
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, accountKey);
BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
.endpoint(String.format("https://%s.blob.core.windows.net/", accountName))
.credential(credential)
.buildClient();
Then, generate the service SAS as shown in the earlier example and use the SAS to authorize a BlobContainerClient object:
// Create a SAS token
BlobContainerClient containerClient = blobServiceClient
.getBlobContainerClient("sample-container");
String sasToken = createServiceSASContainer(containerClient);
// Create a new BlobContainerClient using the SAS token
BlobContainerClient sasContainerClient = new BlobContainerClientBuilder()
.endpoint(containerClient.getBlobContainerUrl())
.sasToken(sasToken)
.buildClient();
The following code example shows how to use the service SAS created in the earlier example to authorize a BlobClient object. This client object can be used to perform operations on the blob resource based on the permissions granted by the SAS.
First, create a BlobServiceClient object signed with the account access key:
String accountName = "<account-name>";
String accountKey = "<account-key>";
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, accountKey);
BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
.endpoint(String.format("https://%s.blob.core.windows.net/", accountName))
.credential(credential)
.buildClient();
Then, generate the service SAS as shown in the earlier example and use the SAS to authorize a BlobClient object:
// Create a SAS token
BlobClient blobClient = blobServiceClient
.getBlobContainerClient("sample-container")
.getBlobClient("sample-blob.txt");
String sasToken = createServiceSASBlob(blobClient);
// Create a new BlobClient using the SAS token
BlobClient sasBlobClient = new BlobClientBuilder()
.endpoint(blobClient.getBlobUrl())
.sasToken(sasToken)
.buildClient();
To learn more about using the Azure Blob Storage client library for Java, see the following resources.
Code samples Client library resources See alsoRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4