How to create an Azure Storage SAS token to allow upload of file from browser using @azure/storage-blob

Question

How to create an Azure Storage SAS token to allow upload of file from browser using @azure/storage-blob

Paul Rony 20

I believe that I'm very close to having the upload working as a manually generated SAS token from the portal site works in the browser to load a file. But, I need to be able to create a blob specific token for anonymous user upload to that specific name and for a 1 hour period.

The following code generates a SAS token without any errors, but the client returns "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature."

		BlobServiceClient client = new BlobServiceClient(AzureStorageConnectionString());

		BlobContainerClient containerClient = client.GetBlobContainerClient("videos");

		BlobClient blobClient = containerClient.GetBlobClient(sUserID + "/" + model.name);

		BlobSasBuilder sasBuilder = new BlobSasBuilder()

		{

			BlobContainerName = containerClient.Name,

			BlobName          = blobClient.Name,

			Resource          = "b",

			StartsOn          = DateTimeOffset.UtcNow,

			ExpiresOn         = DateTimeOffset.UtcNow.AddHours(1)

		};

		sasBuilder.SetPermissions(BlobContainerSasPermissions.Create);

		var sasToken = sasBuilder.ToSasQueryParameters(new Azure.Storage.StorageSharedKeyCredential(AzureStorageAccountName(), AzureStorageSubscriptionKey()));

		Uri sasURI = blobClient.GenerateSasUri(sasBuilder);

		string sSasToken = sasURI.ToString();
```As I mentioned above, the client code works with a manually generated SAS token, so I expect it to work with a blob-specific SAS token.  Here is the client side:

```typescript
			this.blobServiceClient = new BlobServiceClient(sasToken);

			const containerClient = this.blobServiceClient.getContainerClient(containerName);

			const blockBlobClient = containerClient.getBlockBlobClient(blobName);

			const opts: BlockBlobParallelUploadOptions =

			{

				blockSize: 4 * 1024 * 1024, // 4MB blocks

				onProgress: (progress: TransferProgressEvent) =>

				{

					this.handleProgress(progress.loadedBytes);

					console.log("uploadData progress", progress);

				},

				abortSignal: this.abortSignal

			}

			const uploadBlobResponse: BlobUploadCommonResponse = await blockBlobClient.uploadData(this.file, opts);

			console.log("uploadBlobResponse", uploadBlobResponse);
```Yes, the container name and blob name are the same on server SAS token generation and client upload request.

Accepted answer

0 additional answers

Your answer

Answer 1

Vinodh247 34,741 MVP Volunteer Moderator

Hi ,

Thanks for reaching out to Microsoft Q&A.

Your SAS token generation code appears close, but the authentication issue is likely due to incorrect permissions, missing signature, or an issue with how the SAS token is applied. Here are some steps to fix it:

Fixing the SAS Token Generation:

You need to explicitly call .SetPermissions() with read, write, and create permissions for upload operations.
Make sure the ToSasQueryParameters() method is correctly generating the SAS token.

Try this updated code:

BlobServiceClient client = new BlobServiceClient(AzureStorageConnectionString());
BlobContainerClient containerClient = client.GetBlobContainerClient("videos");
BlobClient blobClient = containerClient.GetBlobClient(sUserID + "/" + model.name);

BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
    BlobContainerName = containerClient.Name,
    BlobName          = blobClient.Name,
    Resource          = "b",  // "b" for Blob-level SAS
    StartsOn          = DateTimeOffset.UtcNow,
    ExpiresOn         = DateTimeOffset.UtcNow.AddHours(1)
};

// Correcting permissions - allowing write and create
sasBuilder.SetPermissions(BlobSasPermissions.Write | BlobSasPermissions.Create);

var sasToken = sasBuilder.ToSasQueryParameters(
    new StorageSharedKeyCredential(AzureStorageAccountName(), AzureStorageSubscriptionKey()))
    .ToString();

// Generate a full SAS URI
Uri sasURI = new Uri($"{blobClient.Uri}?{sasToken}");

// Use this full SAS URI for the client-side upload
string sSasToken = sasURI.ToString();

Fixing client Side Code (TypeScript)

Ensure you're correctly using the SAS token to initialize the BlobServiceClient:

// Use the correct SAS token URI, not just the token itself
this.blobServiceClient = new BlobServiceClient(sSasToken);
const containerClient = this.blobServiceClient.getContainerClient(containerName);
const blockBlobClient = containerClient.getBlockBlobClient(blobName);
const opts: BlockBlobParallelUploadOptions = {
    blockSize: 4 * 1024 * 1024, // 4MB blocks
    onProgress: (progress: TransferProgressEvent) => {
        this.handleProgress(progress.loadedBytes);
        console.log("uploadData progress", progress);
    },
    abortSignal: this.abortSignal
};
// Uploading the file
const uploadBlobResponse: BlobUploadCommonResponse = await blockBlobClient.uploadData(this.file, opts);
console.log("uploadBlobResponse", uploadBlobResponse);

Ensure your Storage Account Key is Correct
Check if your SAS Token has a Signature (sig= in the URL)
Ensure the blob exists and container access allows SAS-based writes
Permissions should include Write and Create
Use the full SAS URI in the client code (https://storageaccount.blob.core.windows.net/container/blob?SAS), not just the token

Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

Paul Rony 20 Reputation points

2025-03-14T03:59:55.14+00:00

Yes, I tried BlobContainerSasPermissions.Write | BlobContainerSasPermissions.Create | BlobContainerSasPermissions.Add, but still did not work.

Yes, using URI, as you can see in the c# code:

string sSasToken = sasURI.ToString();

I believe the storage key is correct. The value comes from portal:

storage -> Security + networking -> Access keys -> key1

I tried rotating the keys, still not work. Keys do work as I'm able to copy files in c#. Also able to create files in c#.

Blob does not exist. The point is to create.
Vinodh247 34,741 Reputation points MVP Volunteer Moderator

2025-03-14T06:30:27.8933333+00:00
Got it! Since the blob does not exist yet, the sas token must have the correct permissions and be correctly signed. Here’s a step by step breakdown of what could be wrong and how to fix it:

Issues to Investigate

Correct SAS permissions for creating a new blob

The correct permissions are Write (w), Create (c), and Add (a). You already tried BlobContainerSasPermissions.Write | BlobContainerSasPermissions.Create | BlobContainerSasPermissions.Add, which is good.

Ensure You’re Generating the sas at the Right Level

If you are trying to create a blob that doesn’t exist, container level sas might be required instead of blob level SAS.

Use containerClient.GenerateSasUri(sasBuilder); instead of blobClient.GenerateSasUri(sasBuilder);

Check SAS Token Expiration and Signature

Ensure ExpiresOn is at least a few minutes into the future.

Double-check that the SAS token has a signature (sig=…) in the generated URL.

makes sense?
Paul Rony 20 Reputation points

2025-03-14T09:09:26.3833333+00:00

That was the trick, using the containerClient to create the blob.

Thank you for your help.
Vinodh247 34,741 Reputation points MVP Volunteer Moderator

2025-03-14T14:23:06.3166667+00:00

Paul Rony

Glad that the answer helped!

Please click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

Paul Rony 20

Tried to test again, but I get
{"title":"SAS Uri cannot be generated. builder.BlobName cannot be set to create a Name SAS.","status":500,"detail":" at

Not sure why or how it worked before. Maybe I still had the platform generated key in place.

So some fixes required to get it to work.

Remove BlobName from BlobSasBuilder as it is not allowed.
Remove attempt to create folder in C# code by prepending sUserID when creating the blob client.
Remove container from client side getContainerClient() as it will effective be used twice (i.e. /videos/videos/33334134123434/filename.mp4)
Instead, although getContainerClient suggests input is a container, we specify the sUserID to create a folder.

Final c# code:

		BlobServiceClient client = new BlobServiceClient(AzureStorageConnectionString());

		BlobContainerClient containerClient = client.GetBlobContainerClient("videos");

		BlobClient blobClient = containerClient.GetBlobClient(model.name);

		BlobSasBuilder sasBuilder = new BlobSasBuilder()

		{

			BlobContainerName = containerClient.Name,

			Resource          = "b",

			StartsOn          = DateTimeOffset.UtcNow,

			ExpiresOn         = DateTimeOffset.UtcNow.AddMinutes(15)

		};

		sasBuilder.SetPermissions(BlobContainerSasPermissions.Write | BlobContainerSasPermissions.Create | BlobContainerSasPermissions.Add);

		Uri sasURI = containerClient.GenerateSasUri(sasBuilder);

		string sSasToken = sasURI.ToString();

		AzureInitializationUploadResponse response = new AzureInitializationUploadResponse(AzureStorageAccountName(), sUserID, sSasToken, blobClient.Name);

		return Ok(response);

Final typescript code:

			const azureFileDataOutput: IAzureInitializationUploadResponse = await initializeReponse.json();

			this.blobServiceClient = new BlobServiceClient(azureFileDataOutput.SasToken);

			this.fileKey = azureFileDataOutput.FolderName + "/" + azureFileDataOutput.BlobName;

			const containerClient = this.blobServiceClient.getContainerClient(azureFileDataOutput.FolderName);

			const blockBlobClient = containerClient.getBlockBlobClient(azureFileDataOutput.BlobName);

			const opts: BlockBlobParallelUploadOptions =

			{

				blockSize: 4 * 1024 * 1024, // 4MB blocks

				onProgress: (progress: TransferProgressEvent) =>

				{

					this.handleProgress(progress.loadedBytes);

					console.log("uploadData progress", progress);

				},

				abortSignal: this.abortSignal

			}

			const uploadBlobResponse: BlobUploadCommonResponse = await blockBlobClient.uploadData(this.file, opts);

Share via

How to create an Azure Storage SAS token to allow upload of file from browser using @azure/storage-blob

0 additional answers

Your answer