Access Blob Using SAS Token With .Net Framework

This article will show how to access the blob using the SAS token. And most specifically, downloading files using .net code.

Note: SAS = Shared Access Signature

We can not directly access the blob due to access protection. If the container has public access, you can directly access the file using the blob URL.

When we create the blob URL using the SAS token, the user can directly download the file without any authentication.

When we create SAS, we also mention the validity of URL by providing start and end time while generating SAS.

The other thing we can set on the SAS token is access permission (Read, Write..etc.).

There are two ways we can create a SAS token:

  1. Adhoc token: Once you give the blob URL to the client, you don't revoke this access until the expiry is mentioned.
  2. SAS with stored access policy.      
const string AccountName = "--accountname--";
const string AccountKey = "--accountkey--";
const string ContainerName = "--blob container--";
const string BlobName = "--blob name--";
const string ConnectionString = "--connectionstring--";

BlobContainerClient blobContainerClient = new BlobContainerClient(ConnectionString,
    ContainerName);

blobContainerClient.CreateIfNotExistsAsync();

BlobClient blobClient = blobContainerClient.GetBlobClient(BlobName);

Azure.Storage.Sas.BlobSasBuilder blobSasBuilder = new Azure.Storage.Sas.BlobSasBuilder()
{
    BlobContainerName = ContainerName,
    BlobName = "filename.xlsx",
    ExpiresOn = DateTime.UtcNow.AddMinutes(5),//Let SAS token expire after 5 minutes.
};
blobSasBuilder.SetPermissions(Azure.Storage.Sas.BlobSasPermissions.Read);//User will 
                              only be able to read the blob and it's properties
var sasToken = blobSasBuilder.ToSasQueryParameters(new 
StorageSharedKeyCredential(AccountName, AccountKey)).ToString();
var sasURL = $"{blobClient.Uri.AbsoluteUri}?{sasToken}";

Console.WriteLine(sasURL);

In the above code, we created BlobContainerClient, passing the storage account connection string and name of the container as constructor parameters.

blobContainerClient.CreateIfNotExistsAsync(); this will create a container in the storage account if it does not exist.

Then we are getting blobname from container, blobname is your file name already stored on the container. So filename.xlsx will already exist, and we want to share this file with others.

BlobSasBuilder is a class to create a SAS token, and we must pass some parameters to it. BlobContainerName is where our file exists. Filename which we want to share, we can set the expiry date on the file URL that we will share. So after the expiry time passed, that URL will no more valid.

Now we can also set permission on that blob, so when the SAS token URL is generated, this permission can protect the blob by only allowing permission. Here we set readonly permission, so by sharing we only allow to read the file and not write. In such a way, you can set permission per your requirement.

 Then on line 22, we pass the storage account name and storage account key and generating StorageSharedKeyCredential to pass to ToSasQueryParameters method. In this way, we can able to generate a SAS token. 

If you see that SAS token, you can see all the parameters information we set on BlobSasBuilder, like expiry date and permission.

For example

sv=2022-02-12&st=2021-02-09&se=2021-02-10&sr=c&sp=r&si=YWJjZGVmZw%3d%3d&sig=dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d

sv= signedversion   st=signedstart     se=signedexpiry sr=signedresource   sp=signed permission    si=signedidentifier  sig=signature

On line 24, we generated the whole URL appending the Sas token; now you can share this.

Note: By allowing the SAS token URL, you may compromise with security vulnerability for your storage account, so not recommended for confidential information.