Generating SAS Tokens in Azure Blob Storage
What Are SAS Tokens?
SAS (Shared Access Signature) tokens provide time-limited, scoped access to your storage resources without exposing your account keys.
Types of SAS Tokens
| Type | Scope | Use Case |
|---|---|---|
| Account SAS | Entire storage account | Cross-service access |
| Service SAS | Specific service (blob, queue) | Single service access |
| User Delegation SAS | Specific container/blob | Delegated access with Azure AD |
Generate SAS Token via Portal
- Go to Storage Account → Containers
- Select a container
- Click Generate SAS token and URL
- Configure:
- Permissions (Read, Write, Delete, List)
- Start and expiry time
- Allowed IP addresses (optional)
- Click Generate
- Copy the Blob SAS token
Generate SAS Token via CLI
# Generate container SAS token (valid for 1 hour)
az storage container generate-sas \
--name mycontainer \
--account-name mystorage001 \
--permissions rwl \
--expiry 2024-12-31T23:59Z
# Output example:
# ?sv=2023-08-03&ss=b&srt=sco&sp=rwl&se=2024-12-31T23:59:00Z&st=2024-01-01T00:00:00Z&spr=https&sig=...
Use SAS Token in Code
Construct Full URL
string sasToken = "sv=2023-08-03&ss=b&srt=sco&sp=rwl&se=2024-12-31T23:59:00Z&sig=...";
string containerUri = "https://mystorage001.blob.core.windows.net/mycontainer";
var blobContainerClient = new BlobContainerClient(
new Uri($"{containerUri}?{sasToken}")
);
Upload with SAS
var blobClient = new BlobClient(
new Uri("https://mystorage001.blob.core.windows.net/mycontainer/myfile.txt?sas-token"),
new AzureSasCredential(sasToken)
);
await blobClient.UploadAsync("localfile.txt");
SAS Token Parameters
| Parameter | Description |
|---|---|
sv | Storage version |
ss | Signed service (b=blob, q=queue, f=file) |
srt | Signed resource type (s=service, c=container, o=object) |
sp | Signed permissions (r read, w write, d delete, l list) |
se | Expiry time |
st | Start time |
sip | Allowed IP addresses |
spr | Signed protocol (https, http) |
sig | Signature |
Security Best Practices
- Set appropriate expiry - Don't make it too long (1 hour to 1 day is typical)
- Use HTTPS - Always use
https:// - Store securely - Don't hardcode in source control
- Prefer User Delegation SAS - Uses Azure AD instead of account key
When to Use SAS Tokens
- Share specific files with external users
- Time-limited access for mobile apps
- Temporary access for partners
- Load content from CDN
Azure Integration Hub - Beginner Level