Azure Shared Access Signatures (SAS) provide a secure method for granting temporary and limited access to resources in your Azure Storage account without revealing your account keys. With SAS tokens, you can define specific permissions, set expiration times, and restrict access based on IP addresses or protocols.
In this post, you’ll learn how to generate SAS tokens including both account-level and container/blob-level SAS using C# for Azure Blob Storage.
Prerequisites Before you begin, make sure you have:- An Azure Storage Account
- Installed
Azure.Storage.BlobsNuGet package - Basic knowledge of C# and .NET (any .NET Core / .NET Framework version)
Get Azure Shared Access Signatures Using C#
Getting Started
A Shared Access Signature (SAS) in Microsoft Azure is a secure way to grant limited access to Azure Storage resources without exposing your account key. You can use a SAS token to give time-bound, permission-specific access to resources like Blobs, Files, Queues, and Tables.
What is a Azure Shared Access Signature
A Shared Access Signature in Azure is a URI query string that grants restricted access rights to Azure Storage resources. It's like a signed URL that includes:
- What resource can be accessed.
- Who can access it.
- Which permissions are allowed (read, write, delete, etc.).
- How long the access is valid.
https://myaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2022-11-02&st=2023-09-24T09%3A00%3A00Z&se=2023-09-25T09%3A00%3A00Z&sr=b&sp=rl&sig=abcdef1234567890
Types of SAS
- Account SAS: Grants access to resources in a storage account (blob, file, queue, table).
- Service SAS: Grants access to a specific service (e.g., Blob, File) and resource.
- User Delegation SAS: A service SAS secured with Azure AD credentials rather than storage account keys. Recommended for higher security.
Install Azure.Storage.Blobs
Azure.Storage.Blobs is a .NET SDK provided by Microsoft to work with Azure Blob Storage, which is part of the Azure Storage services. To generate a SAS token, this package needs to be installed.
- Right-click on your project in Solution Explorer
- Choose Manage NuGet Packages
- Click on the "Browse" tab
- Search for:
Azure.Storage.Blobs - Click Install
Follow the same steps for Azure.Storage.Common. Azure.Storage.Common is a .NET library that is part of the Azure SDK for .NET. It's not meant to be used directly by most developers. Instead, it provides internal shared components that support the core operations of the Azure Storage libraries.
Import Namespaces
In your class where you want to write the logic to generate an Azure Shared Access Signature, import the following namespaces.
using Azure.Storage;
using Azure.Storage.Blobs;
using Azure.Storage.Sas;
using System;
Generate Azure Shared Access Signatures
The examples below describe how to generate a SAS token for different purposes.Generate SAS for a Blob
public static string GenerateBlobSasUri(string accountName, string accountKey, string containerName, string blobName)
{
// Create storage credentials
var credential = new StorageSharedKeyCredential(accountName, accountKey);
// Build the blob URI
var blobUri = new Uri($"https://{accountName}.blob.core.windows.net/{containerName}/{blobName}");
var blobClient = new BlobClient(blobUri, credential);
// Set SAS expiration and permissions
var sasBuilder = new BlobSasBuilder
{
BlobContainerName = containerName,
BlobName = blobName,
Resource = "b", // "b" for blob, "c" for container
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};
// Permissions: Read, Write, Delete, etc.
sasBuilder.SetPermissions(BlobSasPermissions.Read | BlobSasPermissions.Write);
// Generate the SAS URI
Uri sasUri = blobClient.GenerateSasUri(sasBuilder);
return sasUri.ToString();
}
var sasUrl = GenerateBlobSasUri(
accountName: "your_storage_account_name",
accountKey: "your_storage_account_key",
containerName: "sample-container",
blobName: "example.txt"
);
Console.WriteLine($"SAS URL: {sasUrl}");
SAS for a Container
public static string GenerateContainerSasUri(string accountName, string accountKey, string containerName)
{
var credential = new StorageSharedKeyCredential(accountName, accountKey);
var containerUri = new Uri($"https://{accountName}.blob.core.windows.net/{containerName}");
var containerClient = new BlobContainerClient(containerUri, credential);
var sasBuilder = new BlobSasBuilder
{
BlobContainerName = containerName,
Resource = "c", // Container
ExpiresOn = DateTimeOffset.UtcNow.AddHours(2)
};
sasBuilder.SetPermissions(BlobContainerSasPermissions.List | BlobContainerSasPermissions.Read);
Uri sasUri = containerClient.GenerateSasUri(sasBuilder);
return sasUri.ToString();
}
Generate Account-Level SAS (Across All Services)
using Azure.Storage.Sas;
public static string GenerateAccountSas(string accountName, string accountKey)
{
var credential = new StorageSharedKeyCredential(accountName, accountKey);
var sasBuilder = new AccountSasBuilder
{
Services = AccountSasServices.Blobs,
ResourceTypes = AccountSasResourceTypes.Service | AccountSasResourceTypes.Container | AccountSasResourceTypes.Object,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),
Protocol = SasProtocol.Https
};
sasBuilder.SetPermissions(AccountSasPermissions.Read | AccountSasPermissions.Write | AccountSasPermissions.List);
var sasToken = sasBuilder.ToSasQueryParameters(credential).ToString();
return $"https://{accountName}.blob.core.windows.net/?{sasToken}";
}
SAS Common Parameters
Here are some common parameters used to generate SAS Token:sv– Storage service version.ss– Services (blob, file, queue, table).srt– Resource types (service, container, object).sp– Permissions (r,w,d,l, etc.).se– Expiry time.st– Start time (optional).spr– Protocol (httpsrecommended).sig– Signature (HMAC using account key).
Best Practices
- Use short expiry times for better security.
- Limit permissions to the minimum required.
- Use HTTPS to protect SAS tokens in transit.
- Regenerate keys periodically to invalidate old SAS tokens.
Summary
Generating Azure Shared Access Signatures (SAS) in C# using the Azure SDK is simple and effective. Whether you're providing access to a specific blob or enabling broader service-level permissions, SAS tokens offer flexible, secure, and time-limited access control.
Thanks