diff --git a/ansible/playbooks/sap-hana-download-media.yaml b/ansible/playbooks/sap-hana-download-media.yaml
index 8943277c..730cd64f 100644
--- a/ansible/playbooks/sap-hana-download-media.yaml
+++ b/ansible/playbooks/sap-hana-download-media.yaml
@@ -23,6 +23,46 @@
         group: root
         mode: 0755
 
+    - name: Retrieve account key
+      ansible.builtin.command: >-
+        az storage account keys list 
+        --account-name {{ az_storage_account_name.split('/')[0] }} 
+        --query "[?contains(keyName,'{{ az_key_name }}')].value" 
+        -o tsv
+      delegate_to: 127.0.0.1
+      run_once: true
+      register: az_account_key
+      when: az_sas_token is not defined or az_sas_token == ""
+
+    - name: "Set expiry"
+      ansible.builtin.command: "date -u +'%Y-%m-%dT%H:%MZ' -d '+20 minutes'"
+      delegate_to: 127.0.0.1
+      run_once: true
+      register: expiry
+      when: az_sas_token is not defined or az_sas_token == ""
+
+    - name: Generate SAS token
+      ansible.builtin.command: >-
+        az storage container generate-sas \
+          --account-name {{ az_storage_account_name.split('/')[0] }} \
+          --account-key {{ az_account_key.stdout }} \
+          --name {{ az_container_name.split('/')[0] }} \
+          --permission r \
+          --expiry {{ expiry.stdout }} \
+          --out tsv
+      delegate_to: 127.0.0.1
+      changed_when: false
+      run_once: true
+      register: az_sas_token_output
+      when: az_sas_token is not defined or az_sas_token == ""
+
+    - name: Set az_sas_token fact
+      ansible.builtin.set_fact:
+        az_sas_token: "{{ az_sas_token_output.stdout }}"
+      delegate_to: 127.0.0.1
+      run_once: true
+      when: az_sas_token is not defined or az_sas_token == ""
+
     - name: Download HANA media with SAS token
       ansible.builtin.get_url:
         url: "https://{{ az_storage_account_name }}.blob.core.windows.net/{{ az_container_name }}/{{ item }}?{{ az_sas_token }}"