A safe way to give temporary rights

A safe way to give temporary rights

Say you want to share some files from Azure blob storage, but you don’t want those files te be available for everyone to see, then SAS is the answer. To create a SAS you first have to set up a permission policy, which you afterwards assign to your storage container.

We prepared a code example that will guide you through the process and show you how to create one.

First things first, establish the connection with your storage account using your connection string. Create a CloudBlobClient and pass in the name of your container.

var connectionstring = ConfigurationManager.AppSettings["Your_Connection_String"];
var storageAccount = CloudStorageAccount.Parse(connectionstring);
var client = storageAccount.CreateCloudBlobClient();
var container = client.GetContainerReference("Your_Container_Name");

Once you have your container, you can start defining your policy.

Create a new permission object and add a new policy to the SharedAccessPolicies collection. Determine your parameter values for SharedAccessStartTime, SharedAccessExpiryTime and Permissions and set the policy on the container to activate it.

SharedAccessStartTime = Start time of the token
SharedAccessEndTime = End time of the token
Permissions = Level of permission (read/write)

var containerPermissions = new BlobContainerPermissions();
containerPermissions.SharedAccessPolicies.Add("twominutespolicy", new SharedAccessBlobPolicy {
SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-1),
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(2),
Permissions = SharedAccessBlobPermissions.Read
var sas = container.GetSharedAccessSignature(new SharedAccessBlobPolicy(), "twominutespolicy");

You now have a policy in place that will return a token that states you have a two minute window to open or download the file.

Remember that it is never a good idea to make your blobs publicly available, certainly not if you are planning to use them in your applications. Because in 80% of the cases you will be dealing with sensitive information that you don’t want others to see, only those who have the proper permissions.

So if you do decide to expose blobs in an application, then always use private blobs in combination with Shared Access Signatures.

About the Author