Create a stored access policy with .NET
A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. Defining a stored access policy serves to group shared access signatures and to provide additional restrictions for shared access signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a SAS, or to revoke it after it has been issued.
The following Azure Storage resources support stored access policies:
- Blob containers
- File shares
- Queues
- Tables
Note
A stored access policy on a container can be associated with a shared access signature granting permissions to the container itself or to the blobs it contains. Similarly, a stored access policy on a file share can be associated with a shared access signature granting permissions to the share itself or to the files it contains.
Stored access policies are supported for a service SAS only. Stored access policies are not supported for account SAS or user delegation SAS.
For more information about stored access policies, see Create a stored access policy.
Create a stored access policy
The underlying REST operation to create a stored access policy is Set Container ACL. You must authorize the operation to create a stored access policy via Shared Key by using the account access keys in a connection string. Authorizing the Set Container ACL operation with Microsoft Entra credentials is not supported. For more information, see Permissions for calling data operations.
The following code examples create a stored access policy on a container. You can use the access policy to specify constraints for a service SAS on the container or its blobs.
To create a stored access policy on a container with version 12 of the .NET client library for Azure Storage, call one of the following methods:
The following example creates a stored access policy that is in effect for one day and that grants read/write permissions:
async static Task CreateStoredAccessPolicyAsync(string containerName)
{
string connectionString = "";
// Use the connection string to authorize the operation to create the access policy.
// Azure AD does not support the Set Container ACL operation that creates the policy.
BlobContainerClient containerClient = new BlobContainerClient(connectionString, containerName);
try
{
await containerClient.CreateIfNotExistsAsync();
// Create one or more stored access policies.
List<BlobSignedIdentifier> signedIdentifiers = new List<BlobSignedIdentifier>
{
new BlobSignedIdentifier
{
Id = "mysignedidentifier",
AccessPolicy = new BlobAccessPolicy
{
StartsOn = DateTimeOffset.UtcNow.AddHours(-1),
ExpiresOn = DateTimeOffset.UtcNow.AddDays(1),
Permissions = "rw"
}
}
};
// Set the container's access policy.
await containerClient.SetAccessPolicyAsync(permissions: signedIdentifiers);
}
catch (RequestFailedException e)
{
Console.WriteLine(e.ErrorCode);
Console.WriteLine(e.Message);
}
finally
{
await containerClient.DeleteAsync();
}
}
See also
- Grant limited access to Azure Storage resources using shared access signatures (SAS)
- Create a stored access policy
- Configure Azure Storage connection strings
Resources
For related code samples using deprecated .NET version 11.x SDKs, see Code samples using .NET version 11.x.