Agile Snowball


How to use Azure Storage Queues and Shared Access Signatures via the REST API

By Richard Thombs on 2/27/2015

Azure's Shared Access Signatures make it easy to give limited access to a Storage Queue to a third party without having to share your account keys.

First, here is some simple C# code that creates an Azure Storage Queue and creates a Shared Access Signature with Read and ProcessMessages permissions.

string queueName = "myqueue";
string storageAccount = "UseDevelopmentStorage=true";

// Create the storage queue
var account = CloudStorageAccount.Parse(storageAccount);
var client = account.CreateCloudQueueClient();
var queue = client.GetQueueReference(queueName);

// Define an access policy
var policy = new SharedAccessQueuePolicy
  Permissions = SharedAccessQueuePermissions.ProcessMessages |
  SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddDays(1)

// Get a shared access signature for the queue that enforces the policy
var sas = queue.GetSharedAccessSignature(policy);


The resulting Shared Access Signature is actually a URL Query String fragment:


We can incorporate this signature into requests that we make via the Azure REST API which manipulate the queue. For example, to peek at the next message in the queue:

curl \
  ?sv=2014-02-14 \
  &sig=8CtFprtQUJyGZls%2FiqHiEyp2390IdXZc3zC7QSb7bDU%3D \
  &se=2015-02-28T09%3A39%3A13Z \
  &sp=rp \

That's a big URL, but most of it is the address of the Azure server, the path to the queue and the Shared Access Signature itself.

In order to find the host and path required to connect to the queue, you can use the CloudQueue's StorageUri property:

var queueUri = queue.StorageUri.PrimaryUri;

On a development machine, this will return something like:

This is then composed along with whatever additional URL and Query String fragments the Azure REST API specifies, so for the example above, that was /messages in the URL and &peekonly=true for the Query String.