Storage Accounts - List Service SAS

Service:: Storage Resource Provider

API Version:: 2025-06-01

List service SAS credentials of a specific resource.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/ListServiceSas?api-version=2025-06-01

URI Parameters

Name	In	Required	Type	Description
accountName	path	True	string minLength: 3 maxLength: 24 pattern: ^[a-z0-9]+$	The name of the storage account within the specified resource group. Storage account names must be between 3 and 24 characters in length and use numbers and lower-case letters only.
resourceGroupName	path	True	string minLength: 1 maxLength: 90 pattern: ^[-\w\._\(\)]+$	The name of the resource group within the user's subscription. The name is case insensitive.
subscriptionId	path	True	string minLength: 1	The ID of the target subscription.
api-version	query	True	string minLength: 1	The API version to use for this operation.

Request Body

Name	Required	Type	Description
canonicalizedResource	True	string	The canonical path to the signed resource.
endPk		string	The end of partition key.
endRk		string	The end of row key.
keyToSign		string	The key to sign the account SAS token with.
rscc		string	The response header override for cache control.
rscd		string	The response header override for content disposition.
rsce		string	The response header override for content encoding.
rscl		string	The response header override for content language.
rsct		string	The response header override for content type.
signedExpiry		string (date-time)	The time at which the shared access signature becomes invalid.
signedIdentifier		string maxLength: 64	A unique value up to 64 characters in length that correlates to an access policy specified for the container, queue, or table.
signedIp		string	An IP address or a range of IP addresses from which to accept requests.
signedPermission		Permissions	The signed permissions for the service SAS. Possible values include: Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p).
signedProtocol		HttpProtocol	The protocol permitted for a request made with the account SAS.
signedResource		signedResource	The signed services accessible with the service SAS. Possible values include: Blob (b), Container (c), File (f), Share (s).
signedStart		string (date-time)	The time at which the SAS becomes valid.
startPk		string	The start of partition key.
startRk		string	The start of row key.

Responses

Name	Type	Description
200 OK	ListServiceSasResponse	OK -- returned the service SAS created for the storage service requested.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

StorageAccountListServiceSAS

Sample request

POST https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/res7439/providers/Microsoft.Storage/storageAccounts/sto1299/ListServiceSas?api-version=2025-06-01

{
  "canonicalizedResource": "/blob/sto1299/music",
  "signedResource": "c",
  "signedPermission": "l",
  "signedExpiry": "2017-05-24T11:32:48.8457197Z"
}


import com.azure.resourcemanager.storage.models.Permissions;
import com.azure.resourcemanager.storage.models.ServiceSasParameters;
import com.azure.resourcemanager.storage.models.SignedResource;
import java.time.OffsetDateTime;

/**
 * Samples for StorageAccounts ListServiceSas.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/storage/resource-manager/Microsoft.Storage/stable/2025-06-01/examples/StorageAccountListServiceSAS.
     * json
     */
    /**
     * Sample code: StorageAccountListServiceSAS.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void storageAccountListServiceSAS(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.storageAccounts().manager().serviceClient().getStorageAccounts().listServiceSasWithResponse("res7439",
            "sto1299",
            new ServiceSasParameters().withCanonicalizedResource("/blob/sto1299/music").withResource(SignedResource.C)
                .withPermissions(Permissions.L).withSharedAccessExpiryTime(
                    OffsetDateTime.parse("2017-05-24T11:32:48.8457197Z")),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.storage import StorageManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-storage
# USAGE
    python storage_account_list_service_sas.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = StorageManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="{subscription-id}",
    )

    response = client.storage_accounts.list_service_sas(
        resource_group_name="res7439",
        account_name="sto1299",
        parameters={
            "canonicalizedResource": "/blob/sto1299/music",
            "signedExpiry": "2017-05-24T11:32:48.8457197Z",
            "signedPermission": "l",
            "signedResource": "c",
        },
    )
    print(response)


# x-ms-original-file: specification/storage/resource-manager/Microsoft.Storage/stable/2025-06-01/examples/StorageAccountListServiceSAS.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armstorage_test

import (
	"context"
	"log"

	"time"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/v3"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/4e9df3afd38a1cfa00a5d49419dce51bd014601f/specification/storage/resource-manager/Microsoft.Storage/stable/2025-06-01/examples/StorageAccountListServiceSAS.json
func ExampleAccountsClient_ListServiceSAS() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armstorage.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewAccountsClient().ListServiceSAS(ctx, "res7439", "sto1299", armstorage.ServiceSasParameters{
		CanonicalizedResource:  to.Ptr("/blob/sto1299/music"),
		SharedAccessExpiryTime: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2017-05-24T11:32:48.845Z"); return t }()),
		Permissions:            to.Ptr(armstorage.PermissionsL),
		Resource:               to.Ptr(armstorage.SignedResourceC),
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.ListServiceSasResponse = armstorage.ListServiceSasResponse{
	// 	ServiceSasToken: to.Ptr("sv=2015-04-05&sr=c&se=2017-05-24T11%3A32%3A48Z&sp=l&sig=PoF8yBUGixsjzwroLmw7vG3VbGz4KB2woZC2D4C2oio%3D"),
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { StorageManagementClient } = require("@azure/arm-storage");
const { DefaultAzureCredential } = require("@azure/identity");
require("dotenv/config");

/**
 * This sample demonstrates how to List service SAS credentials of a specific resource.
 *
 * @summary List service SAS credentials of a specific resource.
 * x-ms-original-file: specification/storage/resource-manager/Microsoft.Storage/stable/2025-06-01/examples/StorageAccountListServiceSAS.json
 */
async function storageAccountListServiceSas() {
  const subscriptionId = process.env["STORAGE_SUBSCRIPTION_ID"] || "{subscription-id}";
  const resourceGroupName = process.env["STORAGE_RESOURCE_GROUP"] || "res7439";
  const accountName = "sto1299";
  const parameters = {
    canonicalizedResource: "/blob/sto1299/music",
    sharedAccessExpiryTime: new Date("2017-05-24T11:32:48.8457197Z"),
    permissions: "l",
    resource: "c",
  };
  const credential = new DefaultAzureCredential();
  const client = new StorageManagementClient(credential, subscriptionId);
  const result = await client.storageAccounts.listServiceSAS(
    resourceGroupName,
    accountName,
    parameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Models;
using Azure.ResourceManager.Storage.Models;
using Azure.ResourceManager.Storage;

// Generated from example definition: specification/storage/resource-manager/Microsoft.Storage/stable/2025-06-01/examples/StorageAccountListServiceSAS.json
// this example is just showing the usage of "StorageAccounts_ListServiceSas" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this StorageAccountResource created on azure
// for more information of creating StorageAccountResource, please refer to the document of StorageAccountResource
string subscriptionId = "{subscription-id}";
string resourceGroupName = "res7439";
string accountName = "sto1299";
ResourceIdentifier storageAccountResourceId = StorageAccountResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, accountName);
StorageAccountResource storageAccount = client.GetStorageAccountResource(storageAccountResourceId);

// invoke the operation
ServiceSasContent content = new ServiceSasContent("/blob/sto1299/music")
{
    Resource = ServiceSasSignedResourceType.Container,
    Permissions = StorageAccountSasPermission.L,
    SharedAccessExpiryOn = DateTimeOffset.Parse("2017-05-24T11:32:48.8457197Z"),
};
GetServiceSasResult result = await storageAccount.GetServiceSasAsync(content);

Console.WriteLine($"Succeeded: {result}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "serviceSasToken": "sv=2015-04-05&sr=c&se=2017-05-24T11%3A32%3A48Z&sp=l&sig=PoF8yBUGixsjzwroLmw7vG3VbGz4KB2woZC2D4C2oio%3D"
}

Definitions

Name	Description
HttpProtocol	The protocol permitted for a request made with the account SAS.
ListServiceSasResponse	The List service SAS credentials operation response.
Permissions	The signed permissions for the account SAS. Possible values include: Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p).
ServiceSasParameters	The parameters to list service SAS credentials of a specific resource.
signedResource	The signed services accessible with the service SAS. Possible values include: Blob (b), Container (c), File (f), Share (s).

HttpProtocol

Enumeration

The protocol permitted for a request made with the account SAS.

Value	Description
https,http
https

ListServiceSasResponse

Object

The List service SAS credentials operation response.

Name	Type	Description
serviceSasToken	string	List service SAS credentials of specific resource.

Permissions

Enumeration

The signed permissions for the account SAS. Possible values include: Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p).

Value	Description
r
d
w
l
a
c
u
p

ServiceSasParameters

Object

The parameters to list service SAS credentials of a specific resource.

Name	Type	Description
canonicalizedResource	string	The canonical path to the signed resource.
endPk	string	The end of partition key.
endRk	string	The end of row key.
keyToSign	string	The key to sign the account SAS token with.
rscc	string	The response header override for cache control.
rscd	string	The response header override for content disposition.
rsce	string	The response header override for content encoding.
rscl	string	The response header override for content language.
rsct	string	The response header override for content type.
signedExpiry	string (date-time)	The time at which the shared access signature becomes invalid.
signedIdentifier	string maxLength: 64	A unique value up to 64 characters in length that correlates to an access policy specified for the container, queue, or table.
signedIp	string	An IP address or a range of IP addresses from which to accept requests.
signedPermission	Permissions	The signed permissions for the service SAS. Possible values include: Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p).
signedProtocol	HttpProtocol	The protocol permitted for a request made with the account SAS.
signedResource	signedResource	The signed services accessible with the service SAS. Possible values include: Blob (b), Container (c), File (f), Share (s).
signedStart	string (date-time)	The time at which the SAS becomes valid.
startPk	string	The start of partition key.
startRk	string	The start of row key.

signedResource

Enumeration

The signed services accessible with the service SAS. Possible values include: Blob (b), Container (c), File (f), Share (s).

Value	Description
b
c
f
s