How to use Shared Access Signature to share private blob in Azure?

Microsoft Azure’s storage service allows developers to save any type of file. I recently published a post that explains how to upload any file to Azure Blob storage service. I’ll be using the same application used in the linked post to explain how to use Shared Access Signature to share private blob in Azure.

The application can be downloaded or forked from my GitHub repository.

Shared Access Signature

A shared access signature (SAS) provides delegated access to resources in your storage account. With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. This is the key point of using shared access signatures in your applications – a SAS is a secure way to share your storage resources without compromising your account keys (read more about SAS).

A SAS can also be created using Azure portal, but in this post we will see how we can create a SAS using code in application. A SAS can have many restrictions (read, write, etc.) and is generated using the master key. If anyone modifies the signature and try to access or write a resource, Azure will reject that request. For this application, each time a user uploads a file, we need to create a unique SAS so that user can view the uploaded image.


In my previous post that is linked above, the application allowed an anonymous user to upload an image file as blob to Azure’s blob storage service. The container that was used to store the blob had access type set to Blob. This is the reason the user was able to see the image as the protection level allowed blob to be visible to any user.

Let’s create another container with access type as Private which means that all the blobs inside this container will be secured and only by generating a SAS, user will be able to access blobs in that container. I’ve created a new container named as private-images with Private access type.

If I just change the container name in the application used in previous post, the upload action will work fine. However, user will not be able to view the uploaded image as the image blob is stored in a private container.

Generate SAS via code

A SAS token will be required to be used with the resource link when browser requests the resource, in our case its can image. So, the Uri logic needs to be like following in the ImageStorageService class:

First a SAS policy is created for blob with read permission as user just needs to view the uploaded resource. Possible permissions are none, read, write, delete, list, add and create. The policy also has start and expiry time. Once blob’s reference is obtained, the SAS policy object is then used to generate a SAS token for that blob. Notice that the Uri that is provided to the browser to request for resource has SAS token as query string.

Use this link to access the source code of this application. I hope this post easily explains how to use Shared Access Signature to share private blob in Azure. For any issues, please use my repository or comment here. Please subscribe to my website to get more update for similar posts.

Siddharth Pandey

Siddharth Pandey is a Software Engineer with thorough hands-on commercial experience & exposure to building enterprise applications using Agile methodologies. Siddharth specializes in building, managing on-premise, cloud based real-time standard, single page web applications (SPAs). He has successfully delivered applications in health-care, finance, insurance, e-commerce sectors for major brands in the UK. Other than programming, he also has experience of managing teams, trainer, actively contributing to the IT community by sharing his knowledge using Stack Overflow, personal website & video tutorials.

You may also like...

Advertisment ad adsense adlogger