0
0
AzureHow-ToBeginner · 4 min read

How to Generate SAS Token in Azure: Simple Guide

To generate a SAS token in Azure, you create a token string that grants limited access to storage resources with specific permissions and expiry time. You can generate it using Azure Portal, Azure CLI, or Azure SDKs by specifying resource, permissions, and expiration details.
📐

Syntax

The SAS token is a URL query string that includes parameters defining access rights and expiration. The main parts are:

  • sv: The storage service version.
  • ss: Services accessible (blob, file, queue, table).
  • srt: Resource types (service, container, object).
  • sp: Permissions (read, write, delete, list, etc.).
  • se: Expiry time in UTC.
  • st: Start time in UTC (optional).
  • spr: Allowed protocols (https,http).
  • sig: Signature string for authentication.
none
https://<storage-account>.blob.core.windows.net/<container>/<blob>?sv=<version>&ss=<services>&srt=<resource-types>&sp=<permissions>&se=<expiry>&st=<start>&spr=<protocols>&sig=<signature>
💻

Example

This example shows how to generate a SAS token for an Azure Blob Storage container using Azure CLI. It grants read and list permissions valid for 1 hour.

bash
az storage container generate-sas \
  --account-name mystorageaccount \
  --name mycontainer \
  --permissions rl \
  --expiry $(date -u -d '1 hour' '+%Y-%m-%dT%H:%MZ') \
  --https-only \
  --output tsv
Output
sv=2022-11-02&ss=b&srt=c&sp=rl&se=2024-06-01T15:00Z&spr=https&sig=exampleSignatureString
⚠️

Common Pitfalls

Common mistakes when generating SAS tokens include:

  • Setting expiry time in the past or too far in the future.
  • Using incorrect permissions that do not match the intended access.
  • Not specifying HTTPS-only access, which reduces security.
  • Forgetting to URL-encode the signature part.
  • Using account SAS when service SAS is more appropriate, or vice versa.
bash
Wrong (no https-only):
az storage container generate-sas --account-name mystorageaccount --name mycontainer --permissions rl --expiry 2024-06-01T15:00Z --output tsv

Right (with https-only):
az storage container generate-sas --account-name mystorageaccount --name mycontainer --permissions rl --expiry 2024-06-01T15:00Z --https-only --output tsv
📊

Quick Reference

ParameterDescriptionExample
svStorage service version2022-11-02
ssServices accessibleb (blob)
srtResource typesc (container)
spPermissionsrl (read, list)
seExpiry time (UTC)2024-06-01T15:00Z
stStart time (UTC, optional)2024-06-01T14:00Z
sprAllowed protocolshttps
sigSignature stringgenerated hash

Key Takeaways

Generate SAS tokens by specifying permissions, resource, and expiry to control access.
Always set HTTPS-only access to keep your data secure.
Use Azure CLI or SDKs for easy and correct SAS token generation.
Check expiry times carefully to avoid invalid or overly permissive tokens.
Understand the difference between account SAS and service SAS for proper use.

Related by keyword

How to Use Azure Portal: Simple Guide for BeginnersGetting StartedHow to Use RBAC in Azure: Simple Guide to Role-Based Access ControlAzure AD and IdentityHow to Choose VM Size in Azure: A Simple GuideVirtual MachinesHow to Use Azure Function with C# - Simple GuideAzure FunctionsHow to Use Azure Function with Node.js: Simple GuideAzure Functions

Up next

What is Input Binding in Azure Function: Simple ExplanationOutput Binding in Azure Functions: What It Is and How It WorksAzure SQL vs SQL Server: Key Differences and When to Use EachCosmosDB vs DynamoDB: Key Differences and When to Use Each

More in Blob Storage

Blob Storage vs AWS S3: Key Differences and When to Use EachAzure Blob vs File vs Queue vs Table Storage: Key Differences & UsageAzure Hot vs Cool vs Archive Tier: Key Differences and UsageHow to Configure CORS for Azure Blob Storage