Share via

Cannot access the files by SAS-URL

Grace Dong (CSI INTERFUSION INC) 20 Reputation points Microsoft External Staff
2026-03-23T03:18:51.5466667+00:00

I want to use the Document Translation REST API (https://learn.microsoft.com/en-us/azure/ai-services/translator/document-translation/how-to-guides/use-rest-api-programmatically?tabs=csharp) to batch translator files in my blob Storage, but always get the following error:

"Cannot access source document location with the current permissions."

I get SAS URL from:

Could you please help take a look?.

Removed PII

Azure Blob Storage
Azure Blob Storage

An Azure service that stores unstructured data in the cloud as blobs.

Answer accepted by question author
  1. Ravi Varma Mudduluru 9,200 Reputation points Microsoft External Staff Moderator
    2026-03-23T07:18:42.3366667+00:00

    Hello @Grace Dong,

    Thanks for reaching out to Microsoft Q&A.

    I understand that you are facing the issue with Document Translation service isn’t able to enumerate or read your blobs with the SAS token you generated.

    As we discussed, you are using the user delegation type and experiencing an error in the portal. If you have trouble with the portal, you can use the code below to generate a SAS token and access content from Azure Blob Storage:

    using Azure.Identity;
using Azure.Storage.Blobs;
using Azure.Storage.Sas;
using System;
class Program
{
    public static void Main(string[] args)
    {
        var containerName = "your container name";
        var storageAccountName = "your storage account";
        var blobName = "scenery.jpg";
        var url = $"https://{storageAccountName}.blob.core.windows.net";
        // Initialize BlobServiceClient using DefaultAzureCredential
        var blobServiceClient = new BlobServiceClient(new Uri(url), new DefaultAzureCredential());
        BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);
        // Get User Delegation Key
        var userDelegationKey = blobServiceClient.GetUserDelegationKey(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(1));
        var sasBuilder = new BlobSasBuilder()
        {
            BlobContainerName = containerName,
            BlobName = blobName, 
            Resource = "b", 
            StartsOn = DateTimeOffset.UtcNow,
            ExpiresOn = DateTimeOffset.UtcNow.AddDays(1),
        };
        sasBuilder.SetPermissions(BlobSasPermissions.Read | BlobSasPermissions.Write);
        // Construct the Blob URI with SAS token
        var blobUriBuilder = new BlobUriBuilder(containerClient.Uri)
        {
            BlobName = blobName, 
            Sas = sasBuilder.ToSasQueryParameters(userDelegationKey, blobServiceClient.AccountName)
        };
        var blobUriWithSas = blobUriBuilder.ToUri();
        Console.WriteLine(blobUriWithSas);
    }
}

    Using the code provided above will create a user delegation token, giving you the necessary permission to access the storage account.

    Reference Document:
    https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet?tabs=packages-dotnetcli%2Ccontainer

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-23T03:19:12.19+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For Document Translation, the SAS on the storage containers must match the exact permissions and scope expected by the service. The error “Cannot access source document location with the current permissions” usually means the SAS for the source or target URL is missing required permissions, is scoped incorrectly, or is blocked by networking.

    Validate the following points for the SAS URLs used in the POST body:

    1. Correct container/blob permissions
      • Source container or blob SAS must include Read and List permissions.
      • Target container or blob SAS must include Write and List permissions.
      • If using a glossary blob, its SAS must include Read and List permissions.
      • When generating the SAS in the portal, explicitly select these permissions before clicking Generate SAS token and URL.
    2. Correct scope (container vs. blob)
      • When translating multiple files, generate the SAS at the container level and use the container SAS URL as sourceUrl/targetUrl.
      • When translating a single file with "storageType": "File", generate the SAS for the specific blob and use that blob SAS URL as sourceUrl. For the target, ensure the target filename is part of the targetUrl, while the SAS itself can still be for the container.
    3. SAS token included in the URL
      • sourceUrl, targetUrl, and optional glossaryUrl must be full SAS URLs (container or blob URL plus the ?sv=...&sig=... query string). If the query string is missing or truncated, the service cannot access the files.
    4. Storage account networking and IP restrictions
      • If the storage account has firewall or IP restrictions, ensure the Translator service can reach it. A common cause of intermittent “cannot access” errors is that the client or service IP is not allowed. Verify that the allowed IP ranges on the storage account include the traffic path or temporarily allow all networks for testing.
    5. Request body structure
      • For container-based batch translation, the request body should look like the documented sample, for example: 
             {
       "inputs": [
         {
           "source": {
             "sourceUrl": "{your-source-container-SAS-URL}"
           },
           "targets": [
             {
               "targetUrl": "{your-target-container-SAS-URL}",
               "language": "fr"
             }
           ]
         }
       ]
     }
      • Ensure the SAS URLs used here are exactly those generated from the storage portal with the correct permissions.
    6. Consider managed identity instead of SAS
      • As an alternative, configure a system-assigned managed identity for the Translator resource and grant it access to the storage account using Azure RBAC. In this mode, use plain storage URLs (no SAS) in sourceUrl/targetUrl, and ensure the identity has the necessary roles on the storage containers.

    After adjusting the SAS permissions and scope as above, regenerate the SAS URLs and update them in the Document Translation request. This should resolve the “Cannot access source document location with the current permissions” error.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.