Retrieving List of All SAS Tokens for an Azure Storage Account

Hi amir.dadon - Thanks for reaching out.

Storage doesn't track the number of shared access signatures that have been generated for a storage account, and no API can provide this detail. If you need to know the number of shared access signatures that have been generated for a storage account, you must track the number manually.

This is also documented in the below link as well.

https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json

Hope that helps!

Let me know if there are any queries/concerns, will be glad to assist.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Hello amir.dadon,

Greetings! Welcome to Microsoft Q&A Platform.

As mentioned above. Unfortunately, there isn’t a direct method to retrieve a list of all SAS tokens created for a storage account using the Azure REST API. SAS tokens are typically generated on-demand and are not stored or tracked by Azure in a way that allows for listing them after creation.

However, you can manage and monitor SAS tokens by implementing logging and monitoring within your application. This involves:

Logging SAS Token Creation: Whenever a SAS token is created, log the details such as creation date, expiration, and permissions.

Monitoring Access: Use Azure Storage Analytics to monitor and log access to your storage account resources. This can help you track the usage of SAS tokens.

If you need to list SAS tokens for specific operations, you can use the following REST API endpoints:

List Account SAS: This endpoint allows you to list SAS credentials for a storage account, but it requires you to specify the parameters for the SAS token you want to generate.

List Service SAS: Similar to the List Account SAS, this endpoint allows you to list SAS credentials for a specific service within the storage account.

refer - https://learn.microsoft.com/en-us/rest/api/storagerp/storage-accounts/list-account-sas?view=rest-storagerp-2023-05-01&tabs=HTTP

Any user that has privileges to generate a SAS token, either by using the account key, or via an Azure role assignment, can do so without the knowledge of the owner of the storage account. Be careful to restrict permissions that allow users to generate SAS tokens. To prevent users from generating a SAS that is signed with the account key for blob and queue workloads, you can disallow Shared Key access to the storage account. For more information, see Prevent authorization with Shared Key.

ref: https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#how-a-shared-access-signature-works

If you're concerned about a compromised SAS or have other concerns - check the Best Practice guidance : https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#best-practices-when-using-sas

Hope this information helps! please let us know if you have any further queries. I’m happy to assist you further.

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.