Generate SAS token for specific folders

Question

Generate SAS token for specific folders

M, RAKESH 121

Hello Team,

I'm trying to generate a SAS token specific to folder through powershell since the direct option is not available in UI portal. When I upload a file example test.txt it is getting saved as file symbol and *. Could you please help me to fix on this.

Connect-AzAccount

Set the storage account name and container name

$storageAccountName = "ABC"

$containerName = "ASD"

$folderPath = "A/B/C" # The folder for which you want the SAS token (e.g., folder1)

$expiryTime = (Get-Date).AddYears(1) # Set expiry to one year from the current date

$permissions = "racwl" # Read, Write, List permissions (adjust as needed)

Get the storage account key

$storageAccountKey = "XYZ"

Create storage context using the storage account and key

$context = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

Generate the SAS token for the blob

$sasToken = New-AzStorageBlobSASToken -Container $containerName -Blob $blobPath -Permission $permissions -ExpiryTime $expiryTime -Context $context

Construct the full SAS URL for the blob

$blobUrl = "https://$storageAccountName.blob.core.windows.net/$containerName/$blobPath"

$completeSasUrl = "$blobUrl?$sasToken"

Output the complete SAS URL

Write-Output $completeSasUrl

Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-03-26T12:03:25.1766667+00:00

Hi @M, RAKESH,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-03-27T03:16:34.03+00:00

Hi @M, RAKESH,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

2 answers

Your answer

Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-03-26T12:03:25.1766667+00:00

Hi @M, RAKESH,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-03-27T03:16:34.03+00:00

Hi @M, RAKESH,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Hi @M, RAKESH,

To generate a SAS token for a specific folder using PowerShell, use the New-AzStorageContainerSASToken cmdlet. The New-AzStorageBlobSASToken cmdlet you're using is intended for individual blobs. Ensure you specify the folder path correctly in the -Blob parameter to generate a SAS token for a folder.

Because, Azure Blob Storage operates with a virtual directory structure, where "folders" are implicitly created through the blob name (e.g., A/B/C/test.txt represents a "folder path"). These folders are not actual objects in the storage account. Operations, such as generating a SAS token, specifically target individual blobs or containers rather than these virtual folders.

Please use the below script which helps in generating a SAS token for a folder:

Connect-AzAccount

# Set the storage account name and container name
$storageAccountName = "ABC"
$containerName = "ASD"
$folderPath = "A/B/C" # The folder for which you want the SAS token

# Set expiry to one year from the current date
$expiryTime = (Get-Date).AddYears(1) 

# Define permissions (Read, Write, List)
$permissions = "racwl" 

# Get the storage account key
$storageAccountKey = "XYZ"

# Create storage context using the storage account and key
$context = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

# Generate the SAS token for the folder
$sasToken = New-AzStorageContainerSASToken -Container $containerName -Permission $permissions -ExpiryTime $expiryTime -Context $context

# Construct the full SAS URL for the folder
$folderUrl = "https://$storageAccountName.blob.core.windows.net/$containerName/$folderPath"
$completeSasUrl = "$folderUrl?$sasToken"

# Output the complete SAS URL
Write-Output $completeSasUrl

Please make sure to replace the $storageAccountName, $containerName, $folderPath, and $storageAccountKey with your actual values. This script will generate a SAS token that grants the specified permissions for the entire folder.

For additional reference, please follow the below links:

I hope by following the above steps, you can be able to fix the issue

Please let us know in the comments below, if the issue is resolved or still persists. We will be glad to assist you closely.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-03-28T12:20:58.0833333+00:00

Hi @M, RAKESH,

Your contribution is highly appreciated. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi M, RAKESH

Generate SAS token for specific folders No, it is not possible to generate a SAS token for a specific folder if your storage account is a general-purpose v2 account with a flat namespace. Blob containers in such accounts do not have real folders and do not support folder-level security.

To generate a SAS token for a specific folder, you need to upgrade your storage account to an Azure Data Lake Gen2 storage account using this MS-Document.

Note: Before Upgrading read and review the feature support.

User's image

Once you complete the process, you will see a success message similar to the one shown in the image.

Now, you will be able to generate a SAS token for a specific directory through the portal UI.

enter image description here

If you need to generate a SAS token for a specific folder using PowerShell, you can use the script below for an Azure Data Lake Gen2 storage account.

Script:

$storageAccountName = "xxxx"
$containerName = "xxxx"
$folderPath = "A/B/C"  # Path to the folder in ADLS Gen2

$encodedFolderPath = [System.Web.HttpUtility]::UrlEncode($folderPath)

$expiryTime = (Get-Date).AddYears(1)

$permissions = "racwl"

$storageAccountKey = "xxxxxxx"

# Create a storage context
$context = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

# Generate the SAS token for the folder in Data Lake Gen2
$sasToken = New-AzDataLakeGen2SasToken `
    -Context $context `
    -FileSystem $containerName `
    -Path $folderPath `
    -Permission $permissions `
    -ExpiryTime $expiryTime

# Construct the full SAS URL
$folderUrl = "https://$storageAccountName.dfs.core.windows.net/$containerName/$encodedFolderPath"
$completeSasUrl = "{0}?{1}" -f $folderUrl, $sasToken

# Output the complete SAS URL
Write-Output "Generated SAS URL:"
Write-Output $completeSasUrl

Output: Generated SAS URL: https://venkat9012.dfs.core.windows.net/test/demo?sv=2023-08-03&se=2026-03-27T13%3A55%3A12Z&sr=d&sp=racwl&sdd=1&sig=redacted

If you need to use only a flat namespace storage account, you can try the solution recommended by Hari Babu Vattepally.

Reference:

New-AzDataLakeGen2SasToken (Az.Storage) | Microsoft Learn

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Venkatesan S 2,820 Reputation points Microsoft External Staff Moderator

2025-03-28T07:42:58.79+00:00

M, RAKESH

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Generate SAS token for specific folders

Set the storage account name and container name

Get the storage account key

Create storage context using the storage account and key

Generate the SAS token for the blob

Construct the full SAS URL for the blob

Output the complete SAS URL

2 answers

Your answer