Skip to main content

Access Key vs. Shared Access Signature (SAS) Token

Both the Access Key and the Shared Access Signature (SAS) Token provide secure authentication and authorization for Azure. The choice between them depends on which method best fits your requirements. Consult your security team to determine which method suits your needs.

The Access Key provides global, root-level permissions to your Azure Files file share. It is the preferred method when your Azure Files file share is used solely by Files.com and does not need to share access with other users or solutions.

The Shared Access Signature (SAS) Token offers restricted, user-specific permissions to your Azure Files file share. It is the preferred option when your file share needs to be accessed by multiple users or solutions. The SAS Token allows more granular control over access, letting you limit permissions to specific parts of your Azure Files file share and better segregate data access.

Whichever method you choose, the key or token must be long-lived. A long-lived key or token has no expiration date and must be manually revoked or expired when no longer needed. This keeps your integrations functional until you explicitly revoke access.

If you choose to set an expiration date on a SAS Token, specify a duration that matches the expected lifetime of the business process the integration supports. The default duration of a SAS Token created in the Azure Portal is only 8 hours, which is far too short for a business integration. For example, if you are using a SAS Token for a business process with a vendor you will transact with for one year, set the expiration date to no shorter than that timeframe.

All connections and functionality to Azure stop working once the key or token expires or is revoked. Expired or revoked keys and tokens cause Syncs, automations, uploads, downloads, and Remote Mounts to fail. Configure these features to operate only while the key or token is valid.

Any uploads, syncs, or automations in progress fail when the key or token expires or is revoked. Files being uploaded will not be partially delivered and must be re-uploaded from the beginning once the key or token is replaced. Syncs and automations in progress show a status of Partial failure, indicating that some files were successfully delivered before the key or token expired or was revoked. Depending on the configuration, syncs and automations may continue to trigger and continue to fail until the key or token is replaced.

If a key or token is rotated, revoked, or expired, and you need to restore access to Azure, replace the key or token with a new one. Update the Remote Server with the new key or token to re-establish access to your Azure Files file share.

Do not use keys or tokens with expiration dates unless you are prepared for the downtime at the expiration time and are willing to manually replace the key or token each time it expires.

If you're unsure, use a long-lived Shared Access Signature (SAS) Token. It provides more granular security controls.