Accessing Blob Using SAS Token with .NET Framework

In this article, we will explain how to access a blob using a SAS token and specifically, how to download files using .NET code.

First, let’s clarify what SAS stands for – Shared Access Signature. Due to access protection, we cannot directly access the blob. However, if the container has public access, the file can be accessed directly using the blob URL.

By creating a blob URL with a SAS token, users can download the file without requiring any authentication. Additionally, the SAS token allows us to set the validity period of the URL by specifying start and end times. Furthermore, we can also set access permissions (such as read or write) on the SAS token.

There are two ways to create a SAS token:

  1. Adhoc token: Once you provide the blob URL to a client, you do not revoke this access until the specified expiry time.
  2. SAS with stored access policy.
const string AccountName = "--accountname--";
const string AccountKey = "--accountkey--";
const string ContainerName = "--blob container--";
const string BlobName = "--blob name--";
const string ConnectionString = "--connectionstring--";

BlobContainerClient blobContainerClient = new BlobContainerClient(ConnectionString,


BlobClient blobClient = blobContainerClient.GetBlobClient(BlobName);

Azure.Storage.Sas.BlobSasBuilder blobSasBuilder = new Azure.Storage.Sas.BlobSasBuilder()
    BlobContainerName = ContainerName,
    BlobName = "filename.xlsx",
    ExpiresOn = DateTime.UtcNow.AddMinutes(5), // Let the SAS token expire after 5 minutes.
blobSasBuilder.SetPermissions(Azure.Storage.Sas.BlobSasPermissions.Read); // User can only read the blob and its properties.
var sasToken = blobSasBuilder.ToSasQueryParameters(new 
StorageSharedKeyCredential(AccountName, AccountKey)).ToString();
var sasURL = $"{blobClient.Uri.AbsoluteUri}?{sasToken}";


In the provided code, we create a BlobContainerClient by passing the storage account connection string and the container’s name as constructor parameters. The blobContainerClient.CreateIfNotExistsAsync() method is used to create the container in the storage account if it does not already exist.

Next, we get the BlobClient for the specified blob name from the container. The blob name represents the file name that is already stored in the container. We intend to share this file with others.

The BlobSasBuilder class is used to create a SAS token. It requires us to provide certain parameters. We specify the BlobContainerName where our file exists and set the expiry date on the file’s URL that we will share. Once the expiry time has passed, the URL will no longer be valid.

We can also set permissions on the blob through the SAS token. By setting the permissions to read-only, we only allow others to read the file, not write to it. This way, permissions can be tailored to specific requirements.

On line 22, we provide the storage account name and storage account key to generate a StorageSharedKeyCredential, which is then passed to the ToSasQueryParameters method. This enables us to generate a SAS token.

If you examine the SAS token, you will see all the parameter information that we have set on the BlobSasBuilder, such as the expiry date and permissions.

For example:


sv= signedversion  st=signedstart   se=signedexpiry sr=signedresource  sp=signed permission  si=signedidentifier  sig=signature

On line 24, we generate the complete URL by appending the SAS token to it. You can now share this URL.

Note: Allowing the SAS token URL may compromise the security vulnerability of your storage account, so it is not recommended for confidential information.

Interested in exploring more about our company? Visit Skrots.

Check out our variety of services at Skrots Services. Thanks for reading!

Also, don’t forget to visit our Blog at Skrots for more insightful articles.

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button