# Azure Queue Storage with SAS Demo

## Preparation

In [1]:
#r "nuget: Azure.Storage.Queues"

Import namespaces:

In [2]:
using Azure.Storage.Queues;
using Azure.Storage.Queues.Models;

Setup connection string:

In [None]:
const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=XXX;AccountKey=XXX;EndpointSuffix=core.windows.net";

## Server-Side

This step creates a server-side queue client and initializes the queue.

In [4]:
// Name of the queue
var queueName = "my-queue";

// Create the queue client
var queueClientServer = new QueueClient(ConnectionString, queueName);

Console.WriteLine($"Creating queue '{queueName}'...");

// Create the queue if it doesn't exist
await queueClientServer.CreateIfNotExistsAsync();
Console.WriteLine($"Queue '{queueName}' is ready.");

Creating queue 'my-queue'...
Queue 'my-queue' is ready.


Now, let's add some messages to the queue.

In [5]:
for (int i = 1; i <= 5; i++) {
    await queueClientServer.SendMessageAsync($"Message #{i}");
}

Console.WriteLine("Messages added to the queue.");

Messages added to the queue.


Generate SAS Uri, valid for 10 minutes and allowing reading access to queue.

In [6]:
using Azure.Storage.Sas;

// Generate a SAS token for the queue with read permissions, valid for 10 minutes
var sasBuilder = new QueueSasBuilder {
    ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10)
};
sasBuilder.SetPermissions(QueueSasPermissions.Process);

// Build the SAS URI
Uri sasUri = queueClientServer.GenerateSasUri(sasBuilder);

Console.WriteLine($"SAS URI (read access, 10 min): {sasUri}");

SAS URI (read access, 10 min): https://ztechtest.queue.core.windows.net/my-queue?sv=2025-07-05&se=2025-09-10T15%3A47%3A08Z&sp=p&sig=cf03atuoAAX8ATp1IEMjHK4jX4MHDk06l%2BwbABXyhn8%3D


## Client-side

Now we need to get the generated SAS URI to the client side. It can be part of configuration or read via otherwise authenticated REST API etc. Based on that, we can construct instance of `QueueClient` class without connection string or account key.

In [7]:
var queueClientClient = new QueueClient(sasUri);
while (true)
{
    // Receive a message from the queue
    var msgReply = await queueClientClient.ReceiveMessageAsync(visibilityTimeout: TimeSpan.FromSeconds(30));

    // Check if a message was received; if not, queue is empty and exit the loop
    if (msgReply.Value == null) break;
    var msg = msgReply.Value;

    // Show message details
    msg.Display();

    // Delete the message from the queue
    await queueClientClient.DeleteMessageAsync(msg.MessageId, msg.PopReceipt);
}
Console.WriteLine("All messages received and deleted from the queue.");

All messages received and deleted from the queue.


Everything works as it should, but if we try to add new message to queue from client, it will fail:

In [8]:
await queueClientClient.SendMessageAsync("This will fail and that's expected.");

Error: Azure.RequestFailedException: This request is not authorized to perform this operation using this permission.
RequestId:d7b0e745-0003-0027-3b69-224815000000
Time:2025-09-10T15:39:37.3802176Z
Status: 403 (This request is not authorized to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionMismatch

Content:
﻿<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.
RequestId:d7b0e745-0003-0027-3b69-224815000000
Time:2025-09-10T15:39:37.3802176Z</Message></Error>

Headers:
Server: Windows-Azure-Queue/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: d7b0e745-0003-0027-3b69-224815000000
x-ms-client-request-id: 25f278d8-6ae3-4dac-8d5b-6a803b66bec4
x-ms-version: 2025-07-05
x-ms-error-code: AuthorizationPermissionMismatch
Date: Wed, 10 Sep 2025 15:39:37 GMT
Content-Length: 279
Content-Type: application/xml

   at Azure.Storage.Queues.MessagesRestClient.EnqueueAsync(QueueMessage queueMessage, Nullable`1 visibilitytimeout, Nullable`1 messageTimeToLive, Nullable`1 timeout, CancellationToken cancellationToken)
   at Azure.Storage.Queues.QueueClient.SendMessageInternal(BinaryData message, Nullable`1 visibilityTimeout, Nullable`1 timeToLive, Boolean async, CancellationToken cancellationToken, String operationName)
   at Azure.Storage.Queues.QueueClient.SendMessageAsync(String messageText, Nullable`1 visibilityTimeout, Nullable`1 timeToLive, CancellationToken cancellationToken)
   at Azure.Storage.Queues.QueueClient.SendMessageAsync(String messageText)
   at Submission#7.<<Initialize>>d__0.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.CodeAnalysis.Scripting.ScriptExecutionState.RunSubmissionsAsync[TResult](ImmutableArray`1 precedingExecutors, Func`2 currentExecutor, StrongBox`1 exceptionHolderOpt, Func`2 catchExceptionOpt, CancellationToken cancellationToken)

Of course, we can setup the rights differently, if we want to generate SAS just for adding messages to the queue (`QueueSasPermission.Add`) etc, it all depends on the scenario we want to create.

In similar fashion we can create SAS tokens for blobs, tables or shares.