Create an account SAS with .NET

A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

Every SAS is signed with a key. You can sign a SAS in one of two ways:

  • With a key created using Microsoft Entra credentials. A SAS that is signed with Microsoft Entra credentials is a user delegation SAS. A client that creates a user delegation SAS must be assigned an Azure RBAC role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. To learn more, see Create a user delegation SAS.
  • With the storage account key. Both a service SAS and an account SAS are signed with the storage account key. The client that creates a service SAS must either have direct access to the account key or be assigned the Microsoft.Storage/storageAccounts/listkeys/action permission. To learn more, see Create a service SAS or Create an account SAS.

Note

A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see Grant limited access to data with shared access signatures (SAS).

This article shows how to use the storage account key to create an account SAS with the Azure Storage client library for .NET.

About the account SAS

An account SAS is created at the level of the storage account. By creating an account SAS, you can:

  • Delegate access to service-level operations that aren't currently available with a service-specific SAS, such as Get Blob Service Properties, Set Blob Service Properties and Get Blob Service Stats.
  • Delegate access to more than one service in a storage account at a time. For example, you can delegate access to resources in both Azure Blob Storage and Azure Files by using an account SAS.

Stored access policies aren't supported for an account SAS.

Create an account SAS

An account SAS is signed with the account access key. You can use the StorageSharedKeyCredential class to create the credential that is used to sign the SAS.

The following code example shows how to create a new AccountSasBuilder object and call the ToSasQueryParameters method to get the account SAS token string.

public static async Task<string> CreateAccountSAS(StorageSharedKeyCredential sharedKey)
{
    // Create a SAS token that's valid for one day
    AccountSasBuilder sasBuilder = new AccountSasBuilder()
    {
        Services = AccountSasServices.Blobs | AccountSasServices.Queues,
        ResourceTypes = AccountSasResourceTypes.Service,
        ExpiresOn = DateTimeOffset.UtcNow.AddDays(1),
        Protocol = SasProtocol.Https
    };

    sasBuilder.SetPermissions(AccountSasPermissions.Read |
        AccountSasPermissions.Write);

    // Use the key to get the SAS token
    string sasToken = sasBuilder.ToSasQueryParameters(sharedKey).ToString();

    return sasToken;
}

Use an account SAS from a client

To use the account SAS to access service-level APIs for the Blob service, create a BlobServiceClient object using the account SAS and the Blob Storage endpoint for your storage account.

string accountName = "<storage-account-name>";
string accountKey = "<storage-account-key>";
StorageSharedKeyCredential storageSharedKeyCredential =
    new(accountName, accountKey);

// Create a BlobServiceClient object with the account SAS appended
string blobServiceURI = $"https://{accountName}.blob.core.windows.net";
string sasToken = await CreateAccountSAS(storageSharedKeyCredential);
BlobServiceClient blobServiceClientAccountSAS = new BlobServiceClient(
    new Uri($"{blobServiceURI}?{sasToken}"));

Resources

To learn more about creating an account SAS using the Azure Blob Storage client library for .NET, see the following resources.

Client library resources

See also