Azure Shared Access Signature (SAS)

Share this

In this article, I will describe what is Azure Shared Access Signature (SAS) and how they can be implemented to make your Azure Blob Storage secure.

I will come to the details of what SAS is and how it can be used a little later. First lets go to Azure Blob Storage. A blob storage has one or many storage containers which can use used to store files and media.

Below screenshot shows the Storage Accounts section in Azure Portal. Under the Storage Accounts section, a Storage Account is selected. Under ‘BLOB SERVICE‘ section, click ‘Containers‘ where a new container can be added or existing containers can be viewed and edited.

AzureBLOB_Portal

As you can see under the Containers section, there are two blob containers, first whose access type is Private and next one whose access type is Container. I have removed the parts of the names from the above screenshot for security purposes.

The difference between the two access types is that:-

‘Container’ access type : Blob container is public and blobs can be accessed using the URL format :

Blob containers marked as ‘Container’ access types are thus publicly accessible using the blob url.

‘Private’ access type : This as the name suggests is a secure access type where the blobs in the container can’t be accessed publicly over a URL.

Although, blobs from the blob container with ‘Container’ access type can be accessed publicly over the blob URL, they can’t be deleted or renamed without having the storage account access keys (screenshot below).

AzureBLOB_AccessKeys

Storage account access keys are the master keys to the storage account.

You can read more about SAS on MSDN : https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1

Now, lets move to creating Shared Access Signature (SAS) for accessing the blob storage. Below screenshot shows the Shared Access Signature section in Azure Portal.

azure_sas_creation

As you can see from the above screen, you are provided various options. You need to choose the services like ‘Blob’, ‘File’,… etc that should be accessible over SAS. Also you need to select the ‘Start and expiry date/time’. This determines the duration for which the SAS token will be alive and can be used to access various resources like Blob, File,… etc.

SAS token is generated by Azure using the Access Keys. You can select either ‘Key1’ or ‘Key2’ to generate the SAS token, the option is available at the bottom of the screen in the above screenshot.

After generating the SAS token using the process described above, the SAS token obtained is :

This SAS token can be appended to the end of the blob url as :

to access blobs in a secured way within the specified start and end time with allowed access permissions as read/write/delete/list etc.

I hope you followed the article. If you have any comments, questions or suggestions, leave a message and I will try to respond at my earliest.


Share this

9 thoughts on “Azure Shared Access Signature (SAS)”

  1. I am using storage account in my Azure cloud account so I am using Shared access signature – SAS token ,in that I have copied SAS token in my webconfig but red color underline issue is occuring how to avoid that

    can you reply my Email id : kumaraspcode2009@gmail.com

    1. What do you exactly mean by red color underline issue in webconfig? Can you send screenshot. As I understand it seems you are getting error as you have copied the SAS token in web.config without HTML encoding it. Did you encode the token?

  2. Sudipta
    I already snapshot mailed to you can you check and reply

    I am follow your Article

    i copied SAS token paste in my webconfig file there red color underline that code this right or not i do know can you assist for me

    can you reply my Email id : kumaraspcode2009@gmail.com

    1. I checked the screenshot which you mailed me. As mentioned before, you need to HTML encode the SAS token URL to place it in web.config. In your screenshot, I see the string breaks at character ‘&’. Encode ‘&’ and replace with ‘&’. Encode any other characters as required.

  3. still issue is have

    Additional information: Missing mandatory parameters for valid Shared Access Signature

    Check your mail i share the image

  4. I AM FOLLOW YOUR ARTICLE CHANGES
    DONE WHAT YOU SAID WEBCONFIG FILE

    BUT I AM STILL IN THIS ERROR

    Additional information: Missing mandatory parameters for valid Shared Access Signature

    i AM MAILED TO YOU

    CAN YOU Check your mail i share the image

    NOT WORKING YOUR CODE

  5. can you assist for this working for your article?

    it is now working?

    Why we use Azure Shared Access Signature (SAS) for upload and download?

Leave a Reply