This sample demonstrates how to generate a client library for Azure Key Vault-managed storage accounts and use it to generate Shared Access Signature (SAS) tokens to Storage blobs or files.


We recommend you use role-based access control (RBAC) to secure access to your storage accounts. You can centrally manage access for users and applications to resources in a way that is consistent across Azure, and works with Azure Active Directory.

If you want to manage secrets, keys, or certificates, you can use our existing supported SDKs:

Getting started

Before you can use this sample to create SAS tokens to share storage objects, you need to register the storage account with Key Vault. The following instructions require installing the Azure CLI.

  1. Log into Azure using the CLI:

    az login
  2. Find your storage account ID given the storage account name:

    az storage account show --name <StorageAccountName> --query id
  3. Give Key Vault access to your storage account using the ID retrieved above:

    az role assignment create --role "Storage Account Key Operator Service Role" --assignee "" --scope "/subscriptions/<SubscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>"
  4. Make sure your user account has permissions to manage storage accounts. Use the same account with which you logged into Azure in step 1.

    az keyvault set-policy --name <KeyVaultName> --upn <> --storage-permissions get list set update regeneratekey getsas listsas setsas
  5. Register your storage account with Key Vault. Key Vault will take over management of storage account keys and regenerate them automatically as specified, e.g. every 90 days.

    az keyvault storage add --vault-name <KeyVaultName> -n <StorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period P90D --resource-id "/subscriptions/<SubscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>"

For more detail about this process, read Manage storage account keys with Key Vault and the Azure CLI.

Building the sample

This sample not only demonstrates how to generate SAS definitions and tokens using Key Vault, but defines a REST client using our source generator we use for many other Azure SDKs. To build the project either as a standalone sample or within the Azure/azure-sdk-for-net repository using .NET Core 3.1 or newer, simply run:

dotnet build

We have no plans to ship a package for Key Vault-managed storage accounts since RBAC is recommended, but if you need support for managed storage accounts you can copy the REST client source into your own projects by running:

dotnet build /t:CopySource /p:Destination=<ProjectDirectory>

The sample project file and Program.cs are not copied automatically. Only the source necessary to build the REST client is copied. You are welcome to copy and modify the rest of the sample source as needed.

You also need to add references to Azure.Core and Microsoft.Azure.AutoRest.CSharp in your project. In your project directory where you just copied source run:

dotnet add package Azure.Core
dotnet add package Microsoft.Azure.AutoRest.CSharp --prerelease

Using the sample

Once you have registered your storage account to be managed by Key Vault and built the sample, you can generate a SAS token by running the application directly:

sharelink --vault-name <KeyVaultName> --storage-account-name <StorageAccountName> --days 2

For more options, run sharelink --help.

You can also run the application from source using dotnet run --, passing any arguments after -- to the program directly:

dotnet run -- --vault-name <KeyVaultName> --storage-account-name <StorageAccountName> --days 2