This sample demonstrates how to generate a client library for Azure Key Vault-managed storage accounts and use it to generate Shared Access Signature (SAS) tokens to Storage blobs or files.


We recommend you use role-based access control (RBAC) to secure access to your storage accounts. You can centrally manage access for users and applications to resources in a way that is consistent across Azure, and works with Azure Active Directory.

Getting started

Before you can use this sample to create SAS tokens to share storage objects, you need to register the storage account with Key Vault. The following instructions require installing the Azure CLI.

  1. Log into Azure using the CLI:

    az login
  2. Find your storage account ID given the storage account name:

    az storage account show --name <StorageAccountName> --query id
  3. Give Key Vault access to your storage account using the ID retrieved above:

    az role assignment create --role "Storage Account Key Operator Service Role" --assignee "" --scope "/subscriptions/<SubscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>"
  4. Make sure your user account has permissions to manage storage accounts. Use the same account with which you logged into Azure in step 1.

    az keyvault set-policy --name <KeyVaultName> --upn <> --storage-permissions get list set update regeneratekey getsas listsas setsas
  5. Register your storage account with Key Vault. Key Vault will take over management of storage account keys and regenerate them automatically as specified, e.g. every 90 days.

    az keyvault storage add --vault-name <KeyVaultName> -n <StorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period P90D --resource-id "/subscriptions/<SubscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>"

For more detail about this process, read Manage storage account keys with Key Vault and the Azure CLI.

Building the sample

This sample not only demonstrates how to generate SAS definitions and tokens using Key Vault, but defines a REST client using our source generator we use for many other Azure SDKs. To build the project either as a standalone sample or within the Azure/azure-sdk-for-net repository using .NET Core 3.1 or newer, simply run:

dotnet build

We have no plans to ship a package for Key Vault-managed storage accounts since RBAC is recommended, but if you need support for managerd storage accounts you can copy the REST client source into your own projects by running:

dotnet msbuild /t:CopySource /p:Destination=<ProjectDirectory>

The sample project file and Program.cs are not copied automatically - only the source necessary to build the REST client. You are welcome to copy and modify the rest of the sample source as needed.

Using the sample

Once you have registered your storage account to be managed by Key Vault and built the sample, you can generate a SAS token by running the application directly:

sharelink --vault-name <KeyVaultName> --storage-account-name <StorageAccountName> --days 2

For more options, run sharelink --help.

You can also run the application from source using dotnet run --, passing any arguments after -- to the program directly:

dotnet run -- --vault-name <KeyVaultName> --storage-account-name <StorageAccountName> --days 2