The Azure Blob service supports fully authenticated requests, anonymous requests, and requests authenticated by a temporary access key, referred to as a shared access signature. The latter allows access to containers or blobs to only those in possession of the shared access signature.
A shared access signature is constructed from a combination of the following:
Resource (container or blob)
Access rights (read, write, delete, and list)
Start time
Expiration time
Advanced settings
These are combined into a string from which a 256-bit HMAC is generated. An access key for the storage account is used to seed the HMAC generation. This HMAC is referred to as a shared access signature. The process of generating a shared access signature requires no interaction with the Blob service.