In Microsoft's documentation for user delegation key, it says:
A SAS token for access to a container, directory, or blob may be secured by using either Azure AD credentials or an account key. A SAS secured with Azure AD credentials is called a user delegation SAS. Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. When your application design requires shared access signatures, use Azure AD credentials to create a user delegation SAS for superior security.
Why do this approach give "superior security"? I guess the SAS tokens are both safe? So why exactly is one approach safer than the other? If you use Stored Access Policy, you can also revoke SAS tokens when they have been issues with account keys.
A user-delegation SAS token is more secure that it does not rely on the permissions included in the SAS token only. It also takes into consideration the RBAC permissions of the user who created this SAS token. A SAS token created using shared access key simply considers the permissions included in the SAS token.
For example, let's say the user who's creating a user-delegation SAS only has
Read
permissions on a blob container (i.e. they can only list or download blobs in a blob container). Now let's say the user creates a SAS token withWrite
permission. When this SAS token is used to upload a blob, the operation will fail because the user does not haveWrite
permissions on that blob container whereas the upload operation would have succeeded if the SAS token was created using shared access key.More information on this can be found
here
(emphasis mine):