Relationship between Azure SAS allowed services and allowed resource types

Question

I am reading the Azure SAS documentation (https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/constructing-a-service-sas) and I am confused with the relationship between allowed resource Types and Azure services.

If I go to storage account -> shared access signature, the first thing I have to select is Allowed Services (Blob, file, queue, table). Then the Allowed resource types (Service, Container and Object).

Now a Blob service has container in it, but a file, queue or table does not have containers in them. So why is Container option provided in allowed resource type for file, queue and table service?

Answer 1

Now a Blob service has container in it, but a file, queue or table does not have containers in them. So why is Container option provided in allowed resource type for file, queue and table service?

Don't think of a container mentioned there as blob container. Think of it as something that will have child elements (objects in this case).

In context of blobs, container will refer to blob container which will contain blobs.

In context of file service, container will refer to share which will contain files & directories.

In context of table service, container will refer to table which will contain entities.

In context of queue service, container will refer to queue which will contain messages.

Answer 2

As far as I know, the resource type, you could regard as below:

• Service (s): Access to service-level APIs (e.g., Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)
• Container (c): Access to container-level APIs (e.g., Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)
• Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files(e.g. Put Blob, Query Entity, Get Messages, Create File, etc.)