Introduction

Microsoft Azure provides secure and direct access to resources in your Azure storage account. A shared access signature (SAS) is a token that is appended to the URI for an Azure storage resource. The token that contains a special set of query parameters that indicate how the resources may be accessed by the client. This token contains:

1. What resources the client may access.
   
2. What permissions they have to those resources.
   
3. How long the SAS is valid.
   

This article provides an overview of the behavior of SAS links when used with eXtendFiles.

Duration of SAS Links

There is no maximum SAS expiration limitation, but it's advisable to keep the SAS validity period reasonable based on your security needs and to avoid excessively long durations. Consider these factors:

• Security: A shorter validity period reduces the risk of exposure if the SAS token is compromised.
  
• Refresh needs: If your application requires long-lived access, consider refreshing the SAS token periodically instead of using extremely long validity period.
  

Link Expiration

After the validity period, the SAS link expires. If someone attempts to access the Azure object using the expired link, they will be directed to an 'Authentication Failed' error page. This page indicates that the SAS link is no longer valid:

Access Key Rotation / Invalidation

If your Azure Storage account access keys are rotated or invalidated, any existing SAS links that were signed with the previous key may no longer be accessible, even if their configured expiration time has not been reached.

When this happens, users attempting to open an existing SAS link will typically receive an authentication error similar to:

<Error>
  <Code>AuthenticationFailed</Code>
  <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:185ef23b-e01e-0037-0336-bd093d000000 Time:2026-03-26T15:35:52.0710533Z</Message>
  <AuthenticationErrorDetail>Signature did not match. String to sign used was r 2027-03-25T17:00:12Z /blob/storageaccount/container/file 2018-03-28 </AuthenticationErrorDetail>
</Error>

Once a SAS link has expired, it cannot be used to access the Azure object. However, the object can still be accessed by generating a new SAS link.

It’s important to note that the existing link cannot be reused. Instead, a new link with a new expiration date must be generated. This new link must be used to access the file.

Frequently Asked Questions (FAQs)

1. Q: Can the expiration time of a SAS link be changed?
   A: Yes, the expiration time of an Azure SAS link can be set at the time of its creation. However, once the link has been created, the expiration time cannot be changed. If you need to extend the access to the object, you will need to create a new signed link with a new expiration time.
2. Q: Is there a limit to the number of SAS links I can create for an object?
   A: No, there is no limit to the number of signed links that can be created for an object. Each link will have its own unique expiration time which is set during the creation of the link.
3. Q: What happens if a SAS link is used after it has expired?
   
   A: If a link is used after its expiration, access to the Azure object will be denied. The user will be directed to an 'AuthenticationFailed' error page. To regain access, a new SAS link must be generated.
   
4. Q: Can I create a SAS link with no expiration?
   A: No, all Azure SAS links must have an expiration time. This is a security measure to prevent unauthorized long-term access to your Azure storage resources.