Create an account SAS with .NET
A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.
Every SAS is signed with a key. You can sign a SAS in one of two ways:
- With a key created using Azure Active Directory (Azure AD) credentials. A SAS that is signed with Azure AD credentials is a user delegation SAS. A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. For more information, see Create a user delegation SAS.
- With the storage account key. Both a service SAS and an account SAS are signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned the Microsoft.Storage/storageAccounts/listkeys/action permission.
Note
A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see Grant limited access to data with shared access signatures (SAS).
This article shows how to use the storage account key to create an account SAS with the Azure Storage client library for .NET.
Create an account SAS
A account SAS is signed with the account access key. Use the StorageSharedKeyCredential class to create the credential that is used to sign the SAS. Next, create a new AccountSasBuilder object and call the ToSasQueryParameters to get the SAS token string.
private static string GetAccountSASToken(StorageSharedKeyCredential key)
{
// Create a SAS token that's valid for one hour.
AccountSasBuilder sasBuilder = new AccountSasBuilder()
{
Services = AccountSasServices.Blobs | AccountSasServices.Files,
ResourceTypes = AccountSasResourceTypes.Service,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),
Protocol = SasProtocol.Https
};
sasBuilder.SetPermissions(AccountSasPermissions.Read |
AccountSasPermissions.Write);
// Use the key to get the SAS token.
string sasToken = sasBuilder.ToSasQueryParameters(key).ToString();
Console.WriteLine("SAS token for the storage account is: {0}", sasToken);
Console.WriteLine();
return sasToken;
}
Use an account SAS from a client
To use the account SAS to access service-level APIs for the Blob service, construct a Blob service client object using the SAS and the Blob storage endpoint for your storage account.
private static void UseAccountSAS(Uri blobServiceUri, string sasToken)
{
var blobServiceClient = new BlobServiceClient
(new Uri($"{blobServiceUri}?{sasToken}"), null);
BlobRetentionPolicy retentionPolicy = new BlobRetentionPolicy();
retentionPolicy.Enabled = true;
retentionPolicy.Days = 7;
blobServiceClient.SetProperties(new BlobServiceProperties()
{
HourMetrics = new BlobMetrics()
{
RetentionPolicy = retentionPolicy,
Version = "1.0"
},
MinuteMetrics = new BlobMetrics()
{
RetentionPolicy = retentionPolicy,
Version = "1.0"
},
Logging = new BlobAnalyticsLogging()
{
Write = true,
Read = true,
Delete = true,
RetentionPolicy = retentionPolicy,
Version = "1.0"
}
});
// The permissions granted by the account SAS also permit you to retrieve service properties.
BlobServiceProperties serviceProperties = blobServiceClient.GetProperties().Value;
Console.WriteLine(serviceProperties.HourMetrics.RetentionPolicy);
Console.WriteLine(serviceProperties.HourMetrics.Version);
}
Next steps
Povratne informacije
Pošalјite i prikažite povratne informacije za