An Azure blob SAS (Shared Access Signature) token is used in many places in order to access either a specific blob or a container. It’s simply a string made up of your storage account name and your storage account key. The whole point of the SAS token is that you can share it with anyone you like to give them access to blob storage without compromising your real underlining storage account key. The SAS token is in a format which can be used in a URI/URL. It is not a certificate and is not stored anywhere, it’s purely created/constructed and used straight after – and is normally stored in memory as part of a variable or can be shared with others and can contain an expiry date. More info here.
Below is a PowerShell script which you can use to help construct an Azure blob storage SAS token – this one focuses on grating access to blob containers.