Azure Blob Storage
admin@umeshpandit.com Post in azure,Azure guide,microsoft azure

How I Upload Files Securely to Azure Blob Storage Using SAS Tokens

In many of my projects, I’ve needed a way to let users upload files securely to Azure without giving them full access. The good news is, you can set this up easily using the tools already built into Azure. With a few configuration steps and a simple interface, you can share limited upload access without writing or deploying anything extra.

In this article, I’ll walk you through how I upload files to Azure Blob Storage using SAS tokens. The entire process happens through the Azure Portal and a desktop tool.

Understand the Basics First

Before setting things up, it helps to know what SAS tokens are. They allow you to grant temporary access to your storage just for specific tasks like uploading files. This way, you don’t need to share your main access keys or open the container to the public.

If you’re unfamiliar with this concept, take a moment to review the basics of SAS tokens. That article explains the different types and how they work.

Set Up Azure Storage and Container

To begin, you’ll need a secure place in Azure where files can be uploaded. Here’s how I usually set it up:

  1. Go to the Azure Portal
     Log in to portal.azure.com using your Microsoft account. If you don’t have one, you can create it for free.
  2. Create a Storage Account
     In the left-hand menu, search for Storage accounts and click Create.
storage-accounts
  • Choose your Subscription and Resource Group
  • Enter a unique name for your storage account
  • For Performance, choose Standard
  • For Redundancy, select Locally-redundant storage (LRS) unless you need geographic backup
create-a-storage-account
  • Make sure the Account kind is set to StorageV2 (general-purpose v2) — this supports all modern features, including SAS tokens
    Click Review + Create, then click Create again.
  1. Create a Blob Container
     Once the storage account is ready, go to it and click on Containers in the left menu.
    Click +Add Containers at the top.
azure-container
  • Enter a name for your container and hit the Create button.
new container
  • For Public access level, choose Private (no anonymous access)


This ensures only authorized users with valid SAS tokens can access or upload files.

  1. Confirm Your Settings
     After creating the container, it should appear in the list. Click on it to make sure it’s empty and correctly set to private.

By keeping the container private, you prevent any outside user from viewing or uploading files unless they are specifically granted access using a SAS token. This is the foundation of secure uploads in Azure.

Generate a SAS Token Using the Azure Portal

To allow uploads, you’ll create a special URL with limited access:

  1. In your Storage Account, open the Shared Access Signature tab
shared-access-signature
  1. Under Allowed services, select Blob
allow-blog-services
  1. Choose permissions: Write and Create
  2. Set an expiry time, such as 15 or 30 minutes
set-date-and-time
  1. Click Generate SAS and connection string
  2. Copy the Blob service SAS URL
copy-storage-links

This URL can be shared to allow uploads without exposing other files.

Upload Files Using Azure Storage Explorer

Use Azure Storage Explorer, a free tool from Microsoft, to upload your files:

  1. Install and open Azure Storage Explorer
  2. Click Add Account
  3. Select Use a shared access signature (SAS) URI
  1. Paste your SAS URL
  2. Find your blob container in the left sidebar
  3. Right-click the container and choose Upload Files
  4. Select your file and click Upload

The file will be added to your Azure container securely and directly.

Review and Verify the Upload

In the Azure Portal, go to your blob container. You should see your uploaded file listed. Click to verify its size, name, and upload time.

If you don’t see it:

  • Check if the SAS token has expired
  • Make sure the file was uploaded to the correct container
  • Confirm that Write and Create permissions were included

Secure Best Practices I Follow

To keep storage secure, I always follow a few simple rules:

  • Set short expiry times, usually 15 to 30 minutes
  • Only include necessary permissions
  • Use HTTPS for all access and uploads
  • Rotate storage keys periodically if using Account SAS

Monitoring upload activity also helps spot any unusual behavior early.

Advance Tip: Automate for Reuse

If you plan to do this often, consider creating reusable shortcuts:

  • Save preset SAS URLs for different containers
  • Use separate SAS tokens for different teams
  • Save connections in Storage Explorer for easy future uploads

These steps reduce setup time and make access easier to manage.

Final Thoughts

This approach works well whenever I need secure, limited access to allow uploads without giving full control over my storage. With just a few clicks in the Azure Portal and Storage Explorer, everything stays under control.

Once you follow this process a few times, it becomes part of your workflow. If you’re looking for more background, the guide on SAS tokens is a helpful place to start before exploring more advanced features.

Post Views: 245

Leave a Reply

Your email address will not be published. Required fields are marked *