Create SAS definition and fetch shared access signature tokens in code

You can manage your storage account with shared access signature (SAS) tokens stored in your key vault. For more information, see Grant limited access to Azure Storage resources using SAS.


We recommend using Role-Based Access Control (RBAC) to secure your storage account for superior security and ease of use over Shared Key authorization.

This article provides samples of .NET code that creates a SAS definition and fetches SAS tokens. See our ShareLink sample for full details including the generated client for Key Vault-managed storage accounts. For information on how to create and store SAS tokens, see Manage storage account keys with Key Vault and the Azure CLI or Manage storage account keys with Key Vault and Azure PowerShell.

Code samples

In the following example we'll create a SAS template:

private static string BuildSasDefinitionTemplate(bool readOnly) =>
    new StringBuilder("sv=2018-03-28")  // service version
        .Append("&spr=https")           // HTTPS only
        .Append("&ss=bf")               // blobs and files only
        .Append("&srt=o")               // applies to objects only
        .Append(readOnly ? "&sp=r" : "&sp=rw")  // read-only or read-write

Using this template, we can create a SAS definition using the

string sasDefinitionName = BuildSasDefinitionName(Tag, readOnly, duration);
SasDefinitionAttributes sasDefinitionAttributes = new SasDefinitionAttributes
    Enabled = true,

Dictionary<string, string> tags = new Dictionary<string, string>
    [Tag] = "1",

SasDefinitionBundle createdSasDefinition = await storageClient.SetSasDefinitionAsync(

Once the SAS definition is created, you can retrieve SAS tokens like secrets using a SecretClient. You need to preface the secret name with the storage account name followed by a dash:

// Build our SAS template, get an existing SAS definition, or create a new one.
string sasTemplate = BuildSasDefinitionTemplate(readOnly);
string sasDefinitionName = await GetOrCreateSasDefinitionAsync(storageClient, storageAccountName, sasTemplate, days, readOnly);

// Now we can create a SecretClient and generate a new SAS token from the storage account and SAS definition names.
SecretClient secretClient = new SecretClient(vaultUri, credential, options);
KeyVaultSecret sasToken = await secretClient.GetSecretAsync($"{storageAccountName}-{sasDefinitionName}", cancellationToken: s_cancellationTokenSource.Token);

If your shared access signature token is about to expire, you can fetch the same secret again to generate a new one.

For guide on how to use retrieved from Key Vault SAS token to access Azure Storage services, see Use an account SAS to access Blob service


Your app needs to be prepared to refresh the SAS if it gets a 403 from Storage so that you can handle the case where a key was compromised and you need to rotate them faster than the normal rotation period.

Next steps