Shared Access Signatures (SAS) enable customers to delegate access rights to data within their storage accounts without having to share their storage account keys. In late 2015 we announced a new type of SAS token called Account SAS that provided support for the Blob and File Services. Today we are pleased to announce that Account SAS is also supported for the Azure Storage Table and Queue services. These capabilities are available with Version 2015-04-05 of the Azure Storage Service.

Account SAS delegates access to resources in one or more of the storage services providing parity with the Storage account keys. This enables you to delegate access rights for creating and modifying blob containers, tables, queues, and file shares, as well as providing access to meta-data operations such as Get/Set Service Properties and Get Service Stats. For security reasons Account SAS does not enable access to permission related operations including "Set Container ACL", "Set Table ACL", "Set Queue ACL", and "Set Share ACL".

The below code snippet creates a new access policy used to issue a new Account SAS token for the Blob and Table Service including read, write, list, create and delete permissions. The Account SAS token is configured to expire in 24 hours from now.

SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
    Permissions = SharedAccessAccountPermissions.Read | 
                  SharedAccessAccountPermissions.Write | 
                  SharedAccessAccountPermissions.List | 
                  SharedAccessAccountPermissions.Create | 
                  SharedAccessAccountPermissions.Delete,
      
    Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.Table,
      
    ResourceTypes = SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object,

    SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
       
    Protocols = SharedAccessProtocol.HttpsOrHttp
};  

// Create a storage account SAS token by using the above Shared Access Account Policy.
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(‘YOUR CONNECTION STRING’);
string sasToken = storageAccount.GetSharedAccessSignature(policy);

Please read the following resources for more details:

• Tutorial: Shared Access Signatures, Part 1: Understanding the SAS Model
• API Documentation: SharedAccessAccountPolicy Class MSDN Documentation
• Code Sample: Getting Started with Azure Blob Service in .NET

We recommend using SAS tokens to delegate access to storage users rather than sharing storage account keys. As always, please let us know if you have any further questions via comments on this post.

Thanks!

Perry Skountrianos
Azure Storage Team