Azure Storage is a cloud service at the very center of Microsoft Azure. It provides the foundations for storing data in many services and systems within the Azure cloud platform. You can use Azure Blob Storage to store any binary data such as files, images, backups, .vhd’s, videos, and pretty much any other file. The Azure Blob Storage will secure all blobs / files by default where they can’t be access without a key. You can configure the service to allow anonymous access to blobs, however, there are many circumstances that you want to securely share a file with Azure Blob Storage.

Here’s the simple command you can run at the command-line using the Azure CLI 2.0 to generate a SAS (Shared Access Signature) token / key for a specific file stored in Azure Blob Storage:

# command format
az storage blob generate-sas
    --account-name {storage account name}
    --account-key {storage account key}
    --container-name {name of blob container}
    --name {blob name}
    --permissions {permission to grant}
    --expiry {date/time to expire SAS token}

# usage example
az storage blob generate-sas
    --account-name cloudstorageomega
    --account-key if/Vyz+TETuP9/QT1D4CBfCqLVjnXzmOH39tE5LSkI/oxYBfNI3rf28OcydA5mTZR3hxSxH4RxtkQQzi/o8VwA==
    --container-name Images
    --name myimage.png
    --permissions r
    --expiry 2017-05-31

Here’s a description of the parameters to pass into the “az storage blob generate-sas” command:

-c / –container-name
The name of the Blob Container.

-n / –name
The name of the Blob.

The permissions to grant. This parameter should not be used if specifying a stored access policy. The allowed values are:

  • a = Add
  • c = Create
  • d = Delete
  • r = Read
  • w = Write

Specify the UTC date time of when the SAS token becomes invalid. This parameter should not be used if specifying a stored access policy.

SAS Token in Return Result

The result of this command will be the SAS Token to authenticate calls to the Blob with the given permissions specified.

You an copy this and add the full value to the query string of the URL to access the Blob in the Azure Storage account.

Here’s the URL for the Blob in Azure Storage in the code snippet example above:


Here’s the FULL URL for the Blob with the SAS Token applied:

Account Name and Key

Something to note about the “–account-name” and “–account-key” parameters is that you need to specify the name of the Storage Account, and the Key to that Storage Account.

To get the Keys for an Azure Storage Account, you can find those easily within the Azure Portal, however, here’s an example of the Azure CLI 2.0 command to retrieve the Keys for an Azure Storage Account:

az storage account keys list
    --resource-group {resource group name}
    --account-name {storage account name}

This is a simple command, but can be very useful. Especially if you’re using the command-line and need to quickly create a SAS token for a specific Blob in an Azure Storage.

Posted by Chris Pietschmann

Chris is a Microsoft MVP and has nearly 20 years of experience building enterprise systems both in the cloud and on-premises. He is also a Microsoft Certified (MCSD) Azure Solutions Architect. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive.

One Comment

  1. […] Azure CLI 2.0: Generate SAS Token for Blob in Azure Storage (Chris Pietschmann) […]


Leave a Reply