SAS token are a common option when you need to provide temporary access to a particular blob, container, or an entire Azure Storage account.

The documentation around SAS tokens is quite extensive, but I have recently found it difficult to find instructions on how to create one that references a policy.

I started with a quick browse through the documentation available and the clearest document I could find was the one referencing the PowerShell cmdlet that generates a SAS token referencing a policy. Find it here ->

The cmdlet referenced is part of the older Azure.Storage module, but you can also use the newer “Az” version.

Running the cmdlet brough back a SAS token referencing the Azure storage policy by name.

I used Fiddler to look what happens behind the scenes and this reminded me that the actual token is just an encoded version of the target URL. It can be generated locally and is validated at the point of use; not the point of creation.

In other words: There isn’t actually an API to generate a SAS token. You just generate it locally and feed in the parameters as needed to make it valid.

This is shown here and here.

PowerShell still makes a REST call when generating a token with a policy though. As you can see from the Fiddler screenshot below, however, this is to get the policy details before constructing the SAS token locally.

When using a policy-dependant token, we have the benefit of simply deleting the policy to invalidate all tokens that reference it. Because we reference policies by their name, re-creating the exact same policy with the exact same name would revalidate the tokens. The expiry dates can be different as these are validated at the time of using the token. (as described earlier)

This shows the REST call that PowerShell makes when generating a policy-based SAS token. It gets an XML-encoded version of the Azure Storage Policy referenced.