diff --git a/vfs/azblobfs.go b/vfs/azblobfs.go
index ba8f02d6..61477b1a 100644
--- a/vfs/azblobfs.go
+++ b/vfs/azblobfs.go
@@ -107,23 +107,24 @@ func NewAzBlobFs(connectionID, localTempDir, mountPath string, config AzBlobFsCo
 		if err != nil {
 			return fs, fmt.Errorf("invalid SAS URL: %w", err)
 		}
+		svc, err := azblob.NewServiceClientWithNoCredential(fs.config.SASURL.GetPayload(), clientOptions)
+		if err != nil {
+			return fs, fmt.Errorf("invalid credentials: %v", err)
+		}
 		if parts.ContainerName != "" {
 			if fs.config.Container != "" && fs.config.Container != parts.ContainerName {
 				return fs, fmt.Errorf("container name in SAS URL %#v and container provided %#v do not match",
 					parts.ContainerName, fs.config.Container)
 			}
 			fs.config.Container = parts.ContainerName
+			fs.containerClient, err = svc.NewContainerClient("")
 		} else {
 			if fs.config.Container == "" {
 				return fs, errors.New("container is required with this SAS URL")
 			}
-		}
-		svc, err := azblob.NewServiceClientWithNoCredential(fs.config.SASURL.GetPayload(), clientOptions)
-		if err != nil {
-			return fs, fmt.Errorf("invalid credentials: %v", err)
+			fs.containerClient, err = svc.NewContainerClient(fs.config.Container)
 		}
 		fs.hasContainerAccess = false
-		fs.containerClient, err = svc.NewContainerClient(fs.config.Container)
 		return fs, err
 	}
 
diff --git a/vfs/cryptfs.go b/vfs/cryptfs.go
index 7a1515af..1539d70b 100644
--- a/vfs/cryptfs.go
+++ b/vfs/cryptfs.go
@@ -156,7 +156,7 @@ func (fs *CryptFs) Create(name string, flag int) (File, *PipeWriter, func(), err
 	if flag == 0 {
 		f, err = os.Create(name)
 	} else {
-		f, err = os.OpenFile(name, flag, os.ModePerm)
+		f, err = os.OpenFile(name, flag, 0666)
 	}
 	if err != nil {
 		return nil, nil, nil, err