Azure CLI 2.0: Generate SAS Token for Blob in Azure Storage

Chris Pietschmann Chris Pietschmann on May 23, 2017

Azure Storage is a cloud service at the very center of Microsoft Azure. It provides the foundations for storing data in many services and systems within the Azure cloud platform. You can use Azure Blob Storage to store any binary data such as files, images, backups, .vhd’s, videos, and pretty much any other file. The Azure Blob Storage will secure all blobs / files by default where they can’t be access without a key. You can configure the service to allow anonymous access to blobs, however, there are many circumstances that you want to securely share a file with Azure Blob Storage.

Generate SAS Token

Here’s the simple command you can run at the command-line using the Azure CLI 2.0 to generate a SAS (Shared Access Signature) token / key for a specific file stored in Azure Blob Storage:

# command format
az storage blob generate-sas
    --account-name {storage account name}
    --account-key {storage account key}
    --container-name {name of blob container}
    --name {blob name}
    --permissions {permission to grant}
    --expiry {date/time to expire SAS token}
# usage example
az storage blob generate-sas
    --account-name cloudstorageomega
    --account-key if/Vyz+TETuP9/QT1D4CBfCqLVjnXzmOH39tE5LSkI/oxYBfNI3rf28OcydA5mTZR3hxSxH4RxtkQQzi/o8VwA==
    --container-name Images
    --name myimage.png
    --permissions r
    --expiry 2017-05-31

Here’s a description of the parameters to pass into the az storage blob generate-sas command:

-c / --container-name The name of the Blob Container.

-n / --name The name of the Blob.

--permissions The permissions to grant. This parameter should not be used if specifying a stored access policy. The allowed values are:

  • a = Add
  • c = Create
  • d = Delete
  • r = Read
  • w = Write

--expiry Specify the UTC date time of when the SAS token becomes invalid. This parameter should not be used if specifying a stored access policy.

Returned SAS Token and Result

The result of this command will be the SAS Token to authenticate calls to the Blob with the given permissions specified.

You an copy this and add the full value to the query string of the URL to access the Blob in the Azure Storage account.

Here’s the URL for the Blob in Azure Storage in the code snippet example above:


Here’s the FULL URL for the Blob with the SAS Token applied:

Get Account Name and Key

Something to note about the --account-name and --account-key parameters is that you need to specify the name of the Storage Account, and the Key to that Storage Account.

To get the Keys for an Azure Storage Account, you can find those easily within the Azure Portal, however, here’s an example of the Azure CLI 2.0 command to retrieve the Keys for an Azure Storage Account:

az storage account keys list
    --resource-group {resource group name}
    --account-name {storage account name}

This is a simple command, but can be very useful. Especially if you’re using the command-line and need to quickly create a SAS token for a specific Blob in an Azure Storage.