Azure SAS (Shared Access Signature) using C#

Microsoft Azure Logo
Share this

In this article, I will describe how to generate Azure Shared Access Signature using C#.

In my previous article Azure Shared Access Signature (SAS), I described what is Azure Share Access Signature (SAS) and how to generate SAS token using Azure Portal. SAS token generated from Azure Portal has a predefined start and expiry time. In this sense, I would say that it’s static in nature.

Consider a scenario where you need to generate the SAS token dynamically with each user’s request with a certain set expiration time let’s say 5 min or 5 hours etc., the SAS token created from Azure Portal can’t be used. Here a dynamic SAS token using code (C#) needs to ne generated which I would explain in this article.

The easy way to generate a SAS token from C# code can be found at –

This approach uses the method GetSharedAccessSignature() method of the CloudBlobContainer class or CloudBlobBlob class.

Initially with this implementation, the SAS token worked fine on local machine connected to Azure Storage account (not Azure Storage Emulator). However, after deploying in an Azure Web App, the SAS token didn’t work and gave error – “Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.”

Hence, I came up with the following method for generating a dynamic SAS token. Here I have created a Container SAS token. Blob SAS token can be generated similarly.

Replace the value of storageConnectionString variable’s value with your Azure Storage account’s connection string. You can set the expiryTime variable’s value with your chosen expiry time. You can change the policyIdentifer variable’s value with any name you need for a temporary policy identifier.

Components of the SAS token are as follows:

1The interval over which the signature is valid
Start timestYYYY-MM-DDThh:mm:ssZ ISO 8061 format
End timeseYYYY-MM-DDThh:mm:ssZ ISO 8061 format
2Resourcesrb for blob and c for container
3Permissions associated with the signaturespread (r),write (w), delete (d), and list (l)
4The signaturesigBase64 encoded string
5Identifier for policy associated with containersi User defined string eg: –tempAccess

Now we can use this container SAS token access the blobs from the Azure storage container by suffixing the Azure Blob URL with a SAS token prefixed with a ‘?’.

This concludes the article – Azure SAS (Shared Access Signature) using C#. I hope you liked this article. If you have any comments, questions or suggestions, please post them using the comments section below this article. I will try to respond at my earliest or somebody else reading the article and your comment will try to respond.

Please subscribe to my blog via email to get regular updates on the latest articles and share this article over social networks like Facebook, Twitter etc. You can use the social sharing buttons and social sharing bar provided to share this on social media.

Share this

Leave a Reply