In the previous post I have described Shared Access Signature mechanism. In this post am going to talk about Stored Access Policies and how it should be used with SAS.


Refer to previous posts to get started with Azure Storage Queue Service.


A stored access policy is defined on a resource container - a blob container, table, queue, or file share - and can be used to manage constraints for one or more shared access signatures. When you associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy. In this post I will focus on queues.

Each and every queue has a set of permissions. This set of permissions has a list of SharedAccessPolicies that can be modified.

Consider the following example:

var queue1 = queueClient.GetQueueReference("test");

var permissions = new QueuePermissions();
permissions.SharedAccessPolicies.Add("sas-test-policy", new SharedAccessQueuePolicy
    SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-15),
    SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(15),
    Permissions = SharedAccessQueuePermissions.ProcessMessages

var sasToken = queue1.GetSharedAccessSignature(new SharedAccessQueuePolicy(), "sas-test-policy");

var queue2 = new Microsoft.WindowsAzure.Storage.Queue.CloudQueue(queue1.Uri, new StorageCredentials(sasToken));

queue1.AddMessage(new CloudQueueMessage("sas-test-1"));
var message1 = queue2.GetMessage();

permissions = queue1.GetPermissions();
permissions.SharedAccessPolicies["sas-test-policy"].Permissions =
    SharedAccessQueuePermissions.ProcessMessages | SharedAccessQueuePermissions.Add;

queue2.AddMessage(new CloudQueueMessage("sas-test-2")); // Now it is possible to added messages from second queue
var message2 = queue1.GetMessage();

permissions = queue1.GetPermissions();

queue1.AddMessage(new CloudQueueMessage("sas-test-3"));
var message3 = queue2.GetMessage();

This code uses two instances of CloudQueue to showcase how a stored access policy can be added, modified and removed. At first I created the shared access policy called sas-test-policy with SharedAccessQueuePermissions.ProcessMessages permissions. First queue object adds the message and second queue object gets the message from the queue. After that I modified the policy to also allow SharedAccessQueuePermissions.Add, now second queue object has permission to add messages to queue. After that I completely remove sas-test-policy so the second queue object fails to GetMessage with (403) Forbidden exception.

Note that when a shared access signature is associated with a container-level access policy then individual features of the SharedAccessPolicy can only appear either in the container-level access policy or the GetSharedAccessSignature() request. Microsoft suggests a best practice for shared access signatures is to always associate them with a container-level access policy precisely so they can be revoked if necessary.


In this post I have described Stored Access Policies and provided basic code samples. Stored Access Policies is a great way to manage Shared Access Signatures. They are easy to create and manager, but still very powerful, I hope Microsoft will implement them for account-level SAS. In the next post I am going to describe the azure queue storage metadata.