C# Azure Function for generating SAS tokens
This is a sample HTTP trigger Azure Function that returns a SAS token for Azure Storage for the specified container, blob, and permissions. A SAS token provides a secure way for client apps to access particular storage account resources, without giving them the full control of the storage access key.
Deploy to Azure
The automated deployment provisions an Azure Storage account and an Azure Function in a Dynamic compute plan and sets up deployment from source control.
The deployment template has a parameter
manualIntegration which controls whether or not a deployment trigger is registered with GitHub. Use
true if you are deploying from the main Azure-Samples repo (does not register hook),
false otherwise (registers hook). Since a value of
false registers the deployment hook with GitHub, deployment will fail if you don't have write permissions to the repo.
How it works
When you create a storage account, you get two storage access keys, which provide full control over the storage account contents. Since these keys are admin credentials, they should never be distributed with a client app.
Instead, clients should use a shared access signature (SAS) for delegated access to storage resources. A SAS token, which is appended to a storage resource URI, provides access to only a particular resource for a limited period of time. A SAS token can be scoped to a blob or a container and specifies access permissions (such as read or write).
A SAS token is usually generated server-side, using the account access key and the Azure Storage SDK. This sample shows how to use an Azure Function as a SAS token service. Web and mobile clients can call this function to request access to a particular container or blob. By default, the sample creates a token that expires after an hour, but this can be customized.
Calling the function
To request a SAS token, send an HTTP POST to your function URI, including the API key if you've specified one. The request body format is:
container- required. Name of container in storage account
blobName- optional. Used to scope permissions to a particular blob
permissions- optional. Default value is read permissions. The format matches the enum values of SharedAccessBlobPermissions. Possible values are "Read", "Write", "Delete", "List", "Add", "Create". Comma-separate multiple permissions, such as "Read, Write, Create".
token- SAS token, including a leading "?"
uri- Resource URI with token appended as query string