How to get logs of SAS token RRS feed

  • Question

  • Hi All,

    How to find out the time when the SAS key was generated and who requested for the SAS key / token? could you please provide a solution for this? Thanks in advance.

    Kind regards,


    Monday, March 11, 2019 12:47 PM

All replies

  • Service does not generate SAS client constructs it using the shared key “keep track of who gets your storage account shared keys”

    There are 2 pillars the SAS token stands on the shared key and (if used) the stored access policy

    remove either and the SAS token is invalid, so user can regenerate their keys and all SAS tokens will become invalid then they can start from a clean slate otherwise if they remove the stored access policy (and don’t recreate it with the same name), the SAS token becomes invalid without affecting other tokens that don’t depend on the stored access policy

     Note: Currently, an account SAS must be an ad hoc SAS. Stored access policies are not yet supported for account SAS.

    Controlling a SAS with a stored access policy

    A shared access signature can take one of two forms:

    • Ad hoc SAS: When you create an ad hoc SAS, the start time, expiry time, and permissions for the SAS are all specified in the SAS URI (or implied, in the case where start time is omitted). This type of SAS can be created as an account SAS or a service SAS.
    • SAS with stored access policy: A stored access policy is defined on a resource container--a blob container, table, queue, or file share--and can be used to manage constraints for one or more shared access signatures. When you associate a SAS with a stored access policy, the SAS inherits the constraints--the start time, expiry time, and permissions--defined for the stored access policy.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Monday, March 11, 2019 1:06 PM
  • Hi Murugan

    as far as I understand, that's currently not available. You can vote regarding including this feature at https://feedback.azure.com/forums/217298-storage/suggestions/31052998-manage-sas-token-by-name-and-include-in-audit-logs

    You will also find there suggestions regarding controlling SAS usage


    Monday, March 11, 2019 1:08 PM
  • Hi Sumanth,

    Thanks for the responds, Azure Log analytics will support to provide these logs? and what kind of Storage account logs i can get from Log analytics? 

    Kind regards,


    Tuesday, March 12, 2019 5:28 AM
  • Hi Sumanth/ Marcin,

    I was able to perform the following.

    Please let me know if the approach is correct, in case I wish to know who requested for SAS token.

     1. Open any Azure storage account

    2. Select the feature 'Alerts'

    3. Create an alert rule by selecting the condition "All administrative Operations"   

    4. Observe alert(s) under the defined severity level

       Alerts -> Severity 4 -> All Alerts -> <<Select the Alert> -> More Details -> Use 'Caller' and 'Submission Timestamp'

     Could you suggest the ideal solution / better solution that is generally used.

    Kind regards,


    Tuesday, March 12, 2019 9:14 AM
  •  @Murugan Chandrasekaran Apologies for the delay!

    What kind of Storage account logs I can get from Log analytics? 
    IIS logs, Event logs, Syslogs (linux), ETW logs, Service fabric event logs and more.

    Azure Storage metrics migration

    Tuesday, March 19, 2019 12:56 PM
  • @Murugan Chandrasekaran  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

    Thursday, March 21, 2019 7:24 AM