Generate SAS Token for accessing some/multiple containers

Question

In my current work, I'm trying to find a way to generate SAS Tokens on a Storage Account that have access to some of the containers, not 1, not all, but a subset. From the documentation, I'm not sure if it's possible:

Say I have under my Storage Account X, the following containers:

• container1
• container2
• container3

I managed to generate SAS Tokens for accessing a single container (container1), and for accessing all of them (all 3). But I'd like to generate a SAS Token that has access only to container1 and container3.

Is this possible? If so, how?

Answer 1

Try using a combination of a user delegation SAS (at the account level) and RBAC (on per-container level - i.e. for container1 and container3 in your example). As per https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas "The permissions granted to a client who possesses the SAS are the intersection of the permissions that were granted to the security principal that requested the user delegation key and the permissions that were granted to the resource on the SAS token using the signedPermissions (sp) field. If a permission that's granted to the security principal via RBAC isn't also granted on the SAS token, that permission isn't granted to the client who attempts to use the SAS to access the resource. When you're creating a user delegation SAS, make sure that the permissions granted via RBAC and the permissions granted via the SAS token both align to the level of access that's required by the client."

---

hth Marcin

Answer 2

Hello Potra,

Greetings! Welcome to Microsoft Q&A forum.

You can create a Shared Access Signature (SAS) token for a specific container by below following steps and you can specify the user delegation to access particular containers for a client depending on your use case.

• When generating a SAS token, you can specify the container name in the URI. This restricts the token’s access to only that container.
• For example, if you want to create a SAS token for container1, you would include the container name in the URI like this:

  https://<storage_account>.blob.core.windows.net/container1?sv=...
  

Steps:

1. Open the Azure Storage Explorer app on your local machine and navigate to your connected Storage Accounts.
2. Expand the Storage Accounts node and select Blob Containers.
3. Expand the Blob Containers node and right-click the container node you want to create a SAS token for.
4. Select Get Shared Access Signature from the options menu.
5. In the Shared Access Signature window, select your Access policy (the default is none).
6. Specify the signed key Start and Expiry date and time. Select the Time zone for the Start and Expiry date and time (default is Local)
7. Define your container Permissions by selecting the Read, Write, List, and Delete checkboxes.
8. Review and select Create.
9. A new window will appear with the Container name, SAS URL, and Query string for your container.
10. Copy and paste the SAS URL and query string values in a secure location. They'll only be displayed once and can't be retrieved once the window is closed.

You can also generate a SAS URI using Azure Portal, Azure PowerShell, or Azure CLI. Reference documentation:

• Create SAS tokens for storage containers
• Create a user delegation SAS for a container or blob with the Azure CLI
• Grant limited access to Azure Storage resources using shared access signatures (SAS)
• Get the SAS for a blob container using Storage Explorer
• Download and install Storage Explorer

Hope this helps! Please let us know if you have any further queries. I’m happy to assist you further. Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.