Azure Event Hub || Read events from Azure Event Hub using Storage SAS Token

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Use Case:

To read the events from Azure Event hub using Storage SAS Token.



  • Azure Event hub Namespace
  • Azure Storage Account SAS Token
  • Console Application to read the published

Steps to follow:

As a part of the working, Azure Event hub uses storage account while reading events to implement features like checkpointing under the Event Processor Host implementation. For this purpose, it is necessary to pass the storage connection string ,this article can be used in scenario where  in we do not want to expose the full storage connection  string and only want to authenticate using storage SAS token.


Ready made sample to read events out of event hub using connection string can be found here


To generate SAS token for the storage account, we can either use Azure Portal using the Shared Access Signature blade on storage account or use the below piece of code:


static string GetAccountSASToken()


    const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<account-key>";

    CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);

    SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()


            Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List,

            Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.File,

            ResourceTypes = SharedAccessAccountResourceTypes.Service,

            SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),

            Protocols = SharedAccessProtocol.HttpsOnly


    return storageAccount.GetSharedAccessSignature(policy);


To pass storage SAS token , we need to initialize the EventProcessorHost instance from the readymade code  in the below fashion:


var eventProcessorHost = new EventProcessorHost(new Uri(Uristring), EventHubName,


                TokenProvider.CreateSharedAccessSignatureTokenProvider( KeyName , KeyValue),

                new CloudStorageAccount(new StorageCredentials(StorageSasToken), StorageAccountName, null, true),



The format for the parameters is as below:

Uristring = "sb://{event hub namespace}"

KeyName = Event hub Policy name

KeyValue = Event hub key value

StorageSasToken =  Storage SAS token provided by Azure Portal or code.

StorageAccountName = Name of Storage account which would be used.

StorageContainerName = Name of Storage container to acquire lease on. 


Running the  receive console application, you should be able to read the events from event hub while using SAS token.

Hope this helps!

One Reply to “Azure Event Hub || Read events from Azure Event Hub using Storage SAS Token”

  1. Is it possible to use blob access policies ? See example below:

    // Create the shared access permissions and policy
    var blobPermissions = new BlobContainerPermissions()
    PublicAccess = BlobContainerPublicAccessType.Off, // Turn off public access


    // Create a new access policy and define its constraints.
    // Note that the SharedAccessBlobPolicy class is used both to define the parameters of an ad hoc SAS, and
    // to construct a shared access policy that is saved to the container’s shared access policies.
    var sharedPolicy = new SharedAccessBlobPolicy()
    // When the start time for the SAS is omitted, the start time is assumed to be the time when the storage service receives the request.
    // Omitting the start time for a SAS that is effective immediately helps to avoid clock skew.
    SharedAccessExpiryTime = DateTime.UtcNow.AddYears(100),
    SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-120),
    Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write |
    SharedAccessBlobPermissions.Create | SharedAccessBlobPermissions.List |
    SharedAccessBlobPermissions.Delete | SharedAccessBlobPermissions.Add,

    blobPermissions.SharedAccessPolicies.Add(consumerGroupName, sharedPolicy);
    await cloudBlobContainer.SetPermissionsAsync(blobPermissions);

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.