Skip to main content

Shared access signature (SAS)

SAS (Shared Access Signature) lets you grant scoped, time-limited access without exposing your account key.

Using SAS (authenticate)

This SDK supports SAS authentication.

Single blob (Blob SAS URL)

<?php

use AzureOss\Storage\Blob\BlobClient;
use GuzzleHttp\Psr7\Uri;

$blob = new BlobClient(new Uri(getenv('AZURE_BLOB_SAS_URL')));
$content = $blob->downloadStreaming()->content->getContents();

Container (Container SAS URL)

<?php

use AzureOss\Storage\Blob\BlobContainerClient;
use GuzzleHttp\Psr7\Uri;

$container = new BlobContainerClient(new Uri(getenv('AZURE_BLOB_CONTAINER_SAS_URL')));

foreach ($container->getBlobs() as $item) {
  echo $item->name.PHP_EOL;
}

Account (Account SAS / Service SAS on the account endpoint)

Option 1: SAS connection string

If your connection string contains `SharedAccessSignature=...`, `BlobServiceClient::fromConnectionString()` uses it for authentication.

AZURE_STORAGE_CONNECTION_STRING="DefaultEndpointsProtocol=https;AccountName=...;EndpointSuffix=core.windows.net;SharedAccessSignature=sv=...&ss=...&srt=...&sp=...&se=...&st=...&spr=https&sig=..."
<?php

use AzureOss\Storage\Blob\BlobServiceClient;

$service = BlobServiceClient::fromConnectionString(
  getenv('AZURE_STORAGE_CONNECTION_STRING')
);

Option 2: SAS endpoint URL

You can also create a service client from a SAS endpoint URL by including the SAS query string in the URI.

<?php

use AzureOss\Storage\Blob\BlobServiceClient;
use GuzzleHttp\Psr7\Uri;

$endpoint = new Uri(getenv('AZURE_BLOB_SAS_ENDPOINT')); // https://{account}.blob.core.windows.net/?sv=...&sig=...
$service = new BlobServiceClient($endpoint);

Use it like a normal service client:

$container = $service->getContainerClient('quickstart');
$blob = $container->getBlobClient('hello.txt');

$content = $blob->downloadStreaming()->content->getContents();

Generating SAS

SAS generation requires credentials that can sign SAS tokens (shared key). Token-based authentication (Entra ID) cannot generate SAS in this SDK.

Generate a blob SAS URL

<?php

use AzureOss\Storage\Blob\BlobServiceClient;
use AzureOss\Storage\Blob\Sas\BlobSasBuilder;

$service = BlobServiceClient::fromConnectionString(getenv('AZURE_STORAGE_CONNECTION_STRING'));
$blob = $service->getContainerClient('quickstart')->getBlobClient('hello.txt');

$blobSas = $blob->generateSasUri(
  BlobSasBuilder::new()
      ->setPermissions('r')
      ->setExpiresOn(new \DateTimeImmutable('+15 minutes'))
);

Generate a container SAS URL

use AzureOss\Storage\Blob\Sas\BlobSasBuilder;

$container = $service->getContainerClient('quickstart');

$containerSas = $container->generateSasUri(
  BlobSasBuilder::new()
      ->setPermissions('rl')
      ->setExpiresOn(new \DateTimeImmutable('+15 minutes'))
);

Generate an account SAS URL

use AzureOss\Storage\Common\Sas\AccountSasBuilder;
use AzureOss\Storage\Common\Sas\AccountSasPermissions;
use AzureOss\Storage\Common\Sas\AccountSasResourceTypes;

$accountSas = $service->generateAccountSasUri(
  AccountSasBuilder::new()
      ->setPermissions(new AccountSasPermissions(list: true, read: true))
      ->setResourceTypes(new AccountSasResourceTypes(service: true, container: true, object: true))
      ->setExpiresOn(new \DateTimeImmutable('+15 minutes'))
);