Securely Configuring Azure Blob Storage in .NET Web API

This content originally appeared on DEV Community and was authored by Harpreet Singh

When you’re building a .NET Web API that integrates with Azure Blob Storage, one of the most important things to figure out is how you’re going to secure it. Hardcoding connection strings might get you up and running quickly, but it’s definitely not something you want to do in production.

The good news is that Azure gives us a few different options, from simple connection strings to more advanced setups like SAS tokens and managed identities. In this post, we’ll walk through each option and look at some real-world examples.

1. Getting Started – Azure Storage SDK

First, install the Azure Storage Blob package:

dotnet add package Azure.Storage.Blobs

Next, register the BlobServiceClient in your Web API:

using Azure.Storage.Blobs;

builder.Services.AddSingleton(_ =>
{
    var connectionString =  builder.Configuration.GetConnectionString("AzureBlobStorage");
    return new BlobServiceClient(connectionString);
});

This gives you a ready-to-use BlobServiceClient anywhere in your app via dependency injection.

2. Option 1 – Connection Strings (Quick, But Not Secure)

In appsettings.json:

{
  "ConnectionStrings": {
    "AzureBlobStorage": "DefaultEndpointsProtocol=https;AccountName=youraccount;AccountKey=yourkey;EndpointSuffix=core.windows.net"
  }
}

This works fine for local development, but storing account keys in config is risky. If someone gets access to that file, they basically have full control of your storage account. Use it for quick demos or testing, but avoid it in production.

3. Option 2 – Shared Access Signatures (SAS Tokens)

SAS tokens are a much safer way to give out temporary, scoped access. Instead of exposing your account key, you can generate a token that’s valid only for a short period of time and only for specific actions (read, write, delete, etc.).

Example:

var blobUri = new Uri("https://youraccount.blob.core.windows.net/container/blob.txt?<SAS_TOKEN>");
var blobClient = new BlobClient(blobUri);

This way, your Web API never deals with account keys. Instead, you just hand out short-lived tokens. Super handy for scenarios where users need to upload or download files directly.

4. Option 3 – Managed Identity + Azure AD (Best for Production)

The best option in most production setups is to avoid managing secrets altogether and rely on Azure AD authentication with Managed Identities.

How it works:

Enable Managed Identity for your Web API in Azure.
Assign your Web API’s identity the Storage Blob Data Contributor role in your Storage Account.
Use DefaultAzureCredential in your app to handle authentication automatically.

using Azure.Identity;
using Azure.Storage.Blobs;

builder.Services.AddSingleton(_ =>
{
    var accountUrl = new Uri("https://youraccount.blob.core.windows.net/");
    return new BlobServiceClient(accountUrl, new DefaultAzureCredential());
});

What is `DefaultAzureCredential()`?

DefaultAzureCredential is part of the Azure Identity library. Think of it as an authentication Swiss Army knife. It tries multiple authentication methods in order until one works:

Environment variables
Managed Identity (when running in Azure)
Your logged-in account in Visual Studio or Azure CLI (when running locally)

This means you don’t have to change your code between development and production. It “just works” in both environments.

5. Example: Uploading a File

Here’s a simple example of uploading a file using the injected BlobServiceClient:

[ApiController]
[Route("api/[controller]")]
public class FilesController : ControllerBase
{
    private readonly BlobServiceClient _blobServiceClient;

    public FilesController(BlobServiceClient blobServiceClient)
    {
        _blobServiceClient = blobServiceClient;
    }

    [HttpPost("upload")]
    public async Task<IActionResult> UploadFile(IFormFile file)
    {
        var container = _blobServiceClient.GetBlobContainerClient("uploads");
        await container.CreateIfNotExistsAsync();

        var blobClient = container.GetBlobClient(file.FileName);

        using var stream = file.OpenReadStream();
        await blobClient.UploadAsync(stream, overwrite: true);

        return Ok(new { blobUrl = blobClient.Uri.ToString() });
    }
}

This controller creates the container if it doesn’t exist, uploads the file, and returns the blob’s URL.

Wrapping Up

Connection strings – good for quick testing, not safe for production.
SAS tokens – great for temporary, scoped access.
Managed identities + Azure AD – the secure, production-ready way.
DefaultAzureCredential – makes local and cloud authentication seamless.

When you’re designing APIs, always think about who should access your storage and for how long. Moving away from secrets toward managed identities and SAS tokens is the key to keeping your apps both secure and scalable.

In a future post, we’ll look at serving files securely from Blob Storage through your Web API, including download patterns and caching strategies.