TUTORIAL

Generate Shared Access Signatures with Azure Storage Accounts

by Jon Welling

Azure storage wouldn’t be very useful if it couldn’t be shared with others, right? After all, what’s the point of hoarding all that data if you’re going to keep it to yourself? That would be selfish. But you do need a secure way to manage who has access to your data.

Thankfully, Azure IAM has a way to do just that, called Shared Access Signatures (SAS). So, how do you generate a shared access signature for Azure storage accounts? This guide will walk you through the steps.

Project Overview

EXPERIENCE LEVEL: Intermediate

TIME TO COMPLETE: 15 minutes

ESTIMATED COST: $0 (assuming Azure subscription)

Tools and Materials Needed

  • Azure subscription 

  • Access to Azure Portal 

  • Access to Azure Identity Access and Management (IAM) or Azure CLI

Before you begin

Before generating SAS on Azure, make sure you have the necessary permissions for accessing and managing Azure resources. Ensure you understand the basics of Azure Storage services, including blobs, files, tables, and queues.

How to Generate Shared Access Signatures with Azure Storage Accounts 

Generating shared access signatures with Azure storage is a simple way to share data without compromising security. We'll walk through the step-by-step process below. If you prefer video tutorials, watch CBT Nuggets trainer Trevor Sullivan's video:

Step 1: Log into Your Azure Web Management Portal 

Once in the portal, navigate to the resource you want to share. Azure has multiple storage mechanisms, so make sure to choose the correct one.

Step 2: Locate the Shared Access Signature Option 

Locate the Settings tree in the left-hand navigation menu, then scroll down until you see an option called Shared Access Signature. Click that option to open the Shared Access Signature settings.

Step 3: Chose the Services the Signature is Allowed to Access 

The first set of settings defines the allowed services the signature is authorized to access. These services include blob, file, queue, and table. Check the boxes next to the services required to provision authorization.

Step 4: Choose the Resource Types 

Scroll down to the next setting, which configures authorization for the allowed resource types, including service, container, and object. Again, check the resource types that the signature being provisioned requires.

Step 5: Select Read/Write Settings 

The last group of checkboxes specifies read/write settings. Of course, read/write settings also include optional permissions for delete, list, add, create, update, and process functions. Azure shared access signatures are highly granular, so make sure to select these carefully.

Step 6: Set HTTPS Only Access (or leave at default) 

Azure admins can allow HTTP and HTTPS options or restrict connections to HTTPS only. Azure defaults to HTTPS access only, which should only be changed if absolutely required. Otherwise, communication with Azure using the signature may not be encrypted.

Step 7: Set the Expiry Date 

One of SAS's major benefits is that it allows you to set a specific time frame for access. For example, the key can be set to expire in a few days, weeks, or even months. If you want to limit access to this key to a time period, add the expiration date.

Azure storage services have the option to enable versioning. Explaining object versioning is beyond the scope of this article, but there is a lone setting that allows the signature to delete object versions. Consider enabling this option with care. 

Step 8: Sign the Signature & Generate

Azure requires all shared access signatures to be signed. Each Azure account can sign access signatures using a primary or secondary key, though today, Azure calls them key 1 and key 2. Azure defaults to using key 1, which is acceptable for most signatures. To learn more about why you want to use key 1 vs. key 2 consider Microsoft Azure training from CBT Nuggets.

Once your Azure shared access signature is configured, click the Generate SAS and Connection String. Azure will create the shared access signatures, and three form fields will appear. The first is the connection string to the storage resource, and the second is the token used for authorization (or the shared access signature).

Learn Azure Today!

This has only been a brief Azure tutorial. However, Azure storage has so many more functions. For example, we didn’t have time to dive into the details of each of the settings mentioned above. For example, what is the difference between keys 1 and 2, or what’s up with that preferred routing tier that wasn’t mentioned in this article? 

If you want to learn more, sign up for Knox Hutchinson’s Azure online training at CBT Nuggets. Knox is a security guru and skilled Azure engineer who dives deep into everything related to Azure IAM. You’ll walk away from his course able to lock down and control Azure services like a pro. 

Learn new Azure skills with CBT Nuggets training.

Get CBT Nuggets IT training news and resources

I have read and understood the privacy policy and am able to consent to it.

Follow us

Let's chat!

Sales | Support | General
© 2025 CBT Nuggets. All rights reserved.Terms | Privacy Policy | Accessibility | Sitemap | 2850 Crescent Avenue, Eugene, OR 97408 | 541-284-5522