Create an account SAS with .NET

A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

Every SAS is signed with a key. You can sign a SAS in one of two ways:

  • With a key created using Azure Active Directory (Azure AD) credentials. A SAS that is signed with Azure AD credentials is a user delegation SAS.
  • With the storage account key. Both a service SAS and an account SAS are signed with the storage account key.

A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see Grant limited access to data with shared access signatures (SAS).

This article shows how to use the storage account key to create an account SAS with the Azure Storage client library for .NET.

Create an account SAS

A account SAS is signed with the account access key. Use the StorageSharedKeyCredential class to create the credential that is used to sign the SAS. Next, create a new AccountSasBuilder object and call the ToSasQueryParameters to get the SAS token string.


private static string GetAccountSASToken(StorageSharedKeyCredential key)
{
    // Create a SAS token that's valid for one hour.
    AccountSasBuilder sasBuilder = new AccountSasBuilder()
    {
        Services = AccountSasServices.Blobs | AccountSasServices.Files,
        ResourceTypes = AccountSasResourceTypes.Service,
        ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),
        Protocol = SasProtocol.Https
    };

    sasBuilder.SetPermissions(AccountSasPermissions.Read |
        AccountSasPermissions.Write);

    // Use the key to get the SAS token.
    string sasToken = sasBuilder.ToSasQueryParameters(key).ToString();

    Console.WriteLine("SAS token for the storage account is: {0}", sasToken);
    Console.WriteLine();

    return sasToken;
}

Use an account SAS from a client

To use the account SAS to access service-level APIs for the Blob service, construct a Blob service client object using the SAS and the Blob storage endpoint for your storage account.


private static void UseAccountSAS(Uri blobServiceUri, string sasToken)
{  
    var blobServiceClient = new BlobServiceClient
        (new Uri($"{blobServiceUri}?{sasToken}"), null);

    BlobRetentionPolicy retentionPolicy = new BlobRetentionPolicy();
    retentionPolicy.Enabled = true;
    retentionPolicy.Days = 7;

    blobServiceClient.SetProperties(new BlobServiceProperties()
    {
        HourMetrics = new BlobMetrics()
        {
            RetentionPolicy = retentionPolicy,
            Version = "1.0"
        },
        MinuteMetrics = new BlobMetrics()
        {
            RetentionPolicy = retentionPolicy,
            Version = "1.0"
        },
        Logging = new BlobAnalyticsLogging()
        {
            Write = true,
            Read = true,
            Delete = true,
            RetentionPolicy = retentionPolicy,
            Version = "1.0"
        }
    });

    // The permissions granted by the account SAS also permit you to retrieve service properties.

    BlobServiceProperties serviceProperties = blobServiceClient.GetProperties().Value;
    Console.WriteLine(serviceProperties.HourMetrics.RetentionPolicy);
    Console.WriteLine(serviceProperties.HourMetrics.Version);
}

Next steps