Shared Access Signature (SAS)

In Azure storage accounts is a string that contains a security token which can be attached to a URI. They can and should be used to delegate access to storage objects: Tables, Blobs, Files, Queues.

The whole intention of a SAS is to provide applications the minimal access required to perform the task required, see image below: