Skip to main content

Shared access signature (SAS)

SAS (Shared Access Signature) lets you grant scoped, time-limited access without exposing your account key.

Using SAS (authenticate)

This SDK supports SAS authentication, but does not support SAS generation yet.

Single queue (Queue SAS URL)

<?php

use AzureOss\Storage\Queue\QueueClient;
use GuzzleHttp\Psr7\Uri;

$queue = new QueueClient(new Uri(getenv('AZURE_QUEUE_SAS_URL')));
$messages = $queue->receiveMessages(5);

Account (Account SAS / Service SAS on the account endpoint)

Option 1: SAS connection string

If your connection string contains `SharedAccessSignature=...`, `QueueServiceClient::fromConnectionString()` uses it for authentication.

AZURE_STORAGE_CONNECTION_STRING="DefaultEndpointsProtocol=https;AccountName=...;EndpointSuffix=core.windows.net;SharedAccessSignature=sv=...&ss=...&srt=...&sp=...&se=...&st=...&spr=https&sig=..."
<?php

use AzureOss\Storage\Queue\QueueServiceClient;

$service = QueueServiceClient::fromConnectionString(
  getenv('AZURE_STORAGE_CONNECTION_STRING')
);

Option 2: SAS endpoint URL

You can also create a service client from a SAS endpoint URL by including the SAS query string in the URI.

<?php

use AzureOss\Storage\Queue\QueueServiceClient;
use GuzzleHttp\Psr7\Uri;

$endpoint = new Uri(getenv('AZURE_QUEUE_SAS_ENDPOINT')); // https://{account}.queue.core.windows.net/?sv=...&sig=...
$service = new QueueServiceClient($endpoint);

Use it like a normal service client:

$queue = $service->getQueueClient('quickstart');
$messages = $queue->receiveMessages(5);

Generating SAS

SAS generation is not supported yet in this SDK.