| title | Create an account SAS with Python |
|---|---|
| titleSuffix | Azure Storage |
| description | Learn how to create an account shared access signature (SAS) using the Python client library. |
| services | storage |
| author | stevenmatthew |
| ms.service | azure-storage |
| ms.topic | how-to |
| ms.date | 08/05/2024 |
| ms.author | shaas |
| ms.reviewer | dineshm |
| ms.subservice | storage-common-concepts |
| ms.devlang | python |
| ms.custom | devx-track-python, devguide-python |
[!INCLUDE storage-dev-guide-selector-account-sas]
[!INCLUDE storage-auth-sas-intro-include]
This article shows how to use the storage account key to create an account SAS with the Azure Storage client library for Python.
An account SAS is created at the level of the storage account. By creating an account SAS, you can:
- Delegate access to service-level operations that aren't currently available with a service-specific SAS, such as Get Blob Service Properties, Set Blob Service Properties and Get Blob Service Stats.
- Delegate access to more than one service in a storage account at a time. For example, you can delegate access to resources in both Azure Blob Storage and Azure Files by using an account SAS.
Stored access policies aren't supported for an account SAS.
An account SAS is signed with the account access key. The following code example shows how to call the generate_account_sas method to get the account SAS token string.
:::code language="python" source="~/azure-storage-snippets/blobs/howto/python/blob-devguide-py/blob_devguide_create_sas.py" id="Snippet_create_account_sas":::
Valid parameters for the ResourceTypes constructor are:
- service: default is
False; set toTrueto grant access to service-level APIs. - container: default is
False; set toTrueto grant access to container-level APIs. - object: default is
False; set toTrueto grant access to object-level APIs for blobs, queue messages, and files.
For available permissions, see AccountSasPermissions.
To use the account SAS to access service-level APIs for the Blob service, create a BlobServiceClient object using the account SAS and the Blob Storage endpoint for your storage account.
:::code language="python" source="~/azure-storage-snippets/blobs/howto/python/blob-devguide-py/blob_devguide_create_sas.py" id="Snippet_use_account_sas":::
You can also use an account SAS to authorize and work with a ContainerClient object or BlobClient object, if those resource types are granted access as part of the signature values.
To learn more about creating an account SAS using the Azure Blob Storage client library for Python, see the following resources.
[!INCLUDE storage-dev-guide-resources-python]