Author : HASSAN MD TAREQ | Updated : 2021/09/25

Generate Shared Access Signature using PowerShell

SAS can be genereated by using following signing method

User Delegation Key can be created in following ways

User Delegation Key using Storage Account context

# About User Delegation SAS
# SAS secured with Azure AD credentials is called a user delegation SAS.
# Microsoft recommends that you use Azure AD credentials when possible as a security best practice

# Generate User Delegation SAS token for target container
# Use currently logged in user: -UseConnectedAccoun
# The SAS that is created with the user delegation key is granted the permissions that have been granted to the security principal.
# Must add logged in user explicitly as "Storage Blob Data Reader" (or other allowed roles) for storage account
$resourceGroupName = "xxx"
$storageAccountName = "xxx"
$containerName = "xxx"

$storageAccountContext = New-AzStorageContext -StorageAccountName $storageAccountName -UseConnectedAccount
#echo $storageAccountContext

$sasToken = New-AzStorageContainerSASToken `
-Context $storageAccountContext `
-Name $containerName `
-Permission racwdl `
-ExpiryTime (Get-Date).AddDays(7)

echo $sasToken

# Test SAS token by listing files in the target container
# Upload 2 text files (for testing) if target container is empty
# Generate context using SAS token and then use context to list blobs in the target container
$storageAccountContext = ""
$storageAccountContext = New-AzStorageContext -StorageAccountName $storageAccountName -SasToken $sasToken

Get-AzStorageBlob -Container $containerName -Context $storageAccountContext | select Name

User Delegation Key using Managed Identity (need to test)

Generate SAS Token for SQL Backup to URL

For SQL Backup to URL Stored Access Policy is required

Generate SAS that is associated with Stored Access Policy


$subscriptionName = "xxx"
# Set target subscription
Set-AzContext -SubscriptionName $subscriptionName

# Define variables
$resourceGroupName = "xxx"
$storageAccountName= "xxx"
$containerName = "sql-backup-to-url-test"
$storedAccessPolicyName = "sql-backup-sas-policy" # the name of the Stored Access Policy (policy that will be used to generate SAS)

# Create storage account context (context will be used to create Stored Access Policy)
# Account keys are needed
$accountKeys = Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccountName  
$storageContext = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $accountKeys[0].value 

# Creates a new container if needed
# $container = New-AzStorageContainer -Context $storageContext -Name $containerName  
$container = Get-AzStorageContainer -Context $storageContext -Name $containerName
$cbc = $container.CloudBlobContainer
#echo $cbc

# Create Stored Access Policy if does not exist, use existing policy if exists
# SAS will refer to Stored Access Policy by name
# $existingPolicies = Get-AzStorageContainerStoredAccessPolicy -Container $containerName -Context $storageContext
$storedAccessPolicyForSasToken = ""
$existingPolicyWithSameName = Get-AzStorageContainerStoredAccessPolicy -Container $containerName -Policy $storedAccessPolicyName -Context $storageContext
#echo $existingPolicyWithSameName

$noPolicyWithSameName = (([string]::IsNullOrEmpty($existingPolicyWithSameName)) -eq $true)
if($noPolicyWithSameName){ # create policy
    $storedAccessPolicyForSasToken = New-AzStorageContainerStoredAccessPolicy -Container $containerName -Policy $storedAccessPolicyName -Context $storageContext -ExpiryTime $(Get-Date).ToUniversalTime().AddYears(10) -Permission "rwld"

# Generate SAS
$sasString = New-AzStorageContainerSASToken -Policy $storedAccessPolicyName -Context $storageContext -Container $containerName
$sasToken = "$($sasString.Substring(1))" # removing '?' in the token string
echo $sasToken

Generate Shared Access Signature using Azure Portal

Azure storage security - Get shared aceess signature