Author : MD TAREQ HASSAN | Updated : 2021/09/25
Generate Shared Access Signature using PowerShell
SAS can be genereated by using following signing method
- Account key
- User delegation key
User Delegation Key can be created in following ways
- Using storage account context with
-UseConnectedAccount(creates the context object under the Azure AD account with which you signed in) - Using Managed Identity (on behalf of Managed Identity as Security Principle)
User Delegation Key using Storage Account context
#
# About User Delegation SAS
# SAS secured with Azure AD credentials is called a user delegation SAS.
# Microsoft recommends that you use Azure AD credentials when possible as a security best practice
#
#
# Generate User Delegation SAS token for target container
# Use currently logged in user: -UseConnectedAccoun
# The SAS that is created with the user delegation key is granted the permissions that have been granted to the security principal.
# https://docs.microsoft.com/en-us/powershell/module/azure.storage/new-azurestoragecontainersastoken
#
# Must add logged in user explicitly as "Storage Blob Data Reader" (or other allowed roles) for storage account
#
$resourceGroupName = "xxx"
$storageAccountName = "xxx"
$containerName = "xxx"
$storageAccountContext = New-AzStorageContext -StorageAccountName $storageAccountName -UseConnectedAccount
#echo $storageAccountContext
$sasToken = New-AzStorageContainerSASToken `
-Context $storageAccountContext `
-Name $containerName `
-Permission racwdl `
-ExpiryTime (Get-Date).AddDays(7)
echo $sasToken
#
# Test SAS token by listing files in the target container
# Upload 2 text files (for testing) if target container is empty
#
# Generate context using SAS token and then use context to list blobs in the target container
# https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-powershell
#
$storageAccountContext = ""
$storageAccountContext = New-AzStorageContext -StorageAccountName $storageAccountName -SasToken $sasToken
Get-AzStorageBlob -Container $containerName -Context $storageAccountContext | select Name
User Delegation Key using Managed Identity (need to test)
- Create managed identity
- Assign any of following roles to managed identity
- Contributor
- Storage Account Contributor
- Storage Blob Data Contributor (recommended)
- Storage Blob Data Owner
- Storage Blob Data Reader
- Storage Blob Delegator
- Create Azure VM
- Enable Managed Identity for Azure VM
- Generate SAS
- “Access Token & User Delegation Key” approach
- Get Access Token: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
- api-version: https://docs.microsoft.com/en-us/rest/api/storageservices/versioning-for-the-azure-storage-services#version-2020-10-02
- resource: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet#azure-storage-resource-id
- Get User Delegation Key: https://docs.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key
- Construct a user delegation SAS: https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#construct-a-user-delegation-sas
- Get Access Token: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
- “Managed Identity Login from VM” approach
- Login using Managed Identity from Powershell client running in VM: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in
- Use
-UseConnectedAccount(Managed Identity Login credential) to generate SAS: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-powershell#use-azure-ad-credentials-to-secure-a-sas
- “Access Token & User Delegation Key” approach
Generate SAS Token for SQL Backup to URL
For SQL Backup to URL Stored Access Policy is required
- Microsoft does not explicitly mention that you need to create a “Stored Access Pilicy” first
- Use Stored Access Policy to generate SAS
- Backup to URL error - Operating system error 50 (The request is not supported.): see Troubleshooting page
Generate SAS that is associated with Stored Access Policy
- Microsoft doc example code: https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/sql-server-backup-to-url?#SAS)
- When you use SSMS, the back wizard generated SAS token using Stored Access Policy (Stored Access Policy named “BackupPolicy_” is generated)
Connect-AzAccount
$subscriptionName = "xxx"
# Set target subscription
Set-AzContext -SubscriptionName $subscriptionName
#
# Define variables
#
$resourceGroupName = "xxx"
$storageAccountName= "xxx"
$containerName = "sql-backup-to-url-test"
$storedAccessPolicyName = "sql-backup-sas-policy" # the name of the Stored Access Policy (policy that will be used to generate SAS)
#
# Create storage account context (context will be used to create Stored Access Policy)
# Account keys are needed
#
$accountKeys = Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccountName
$storageContext = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $accountKeys[0].value
#
# Creates a new container if needed
#
# $container = New-AzStorageContainer -Context $storageContext -Name $containerName
#
$container = Get-AzStorageContainer -Context $storageContext -Name $containerName
$cbc = $container.CloudBlobContainer
#echo $cbc
#
# Create Stored Access Policy if does not exist, use existing policy if exists
# SAS will refer to Stored Access Policy by name
#
# $existingPolicies = Get-AzStorageContainerStoredAccessPolicy -Container $containerName -Context $storageContext
#
$storedAccessPolicyForSasToken = ""
$existingPolicyWithSameName = Get-AzStorageContainerStoredAccessPolicy -Container $containerName -Policy $storedAccessPolicyName -Context $storageContext
#echo $existingPolicyWithSameName
$noPolicyWithSameName = (([string]::IsNullOrEmpty($existingPolicyWithSameName)) -eq $true)
if($noPolicyWithSameName){ # create policy
$storedAccessPolicyForSasToken = New-AzStorageContainerStoredAccessPolicy -Container $containerName -Policy $storedAccessPolicyName -Context $storageContext -ExpiryTime $(Get-Date).ToUniversalTime().AddYears(10) -Permission "rwld"
}
#
# Generate SAS
#
$sasString = New-AzStorageContainerSASToken -Policy $storedAccessPolicyName -Context $storageContext -Container $containerName
$sasToken = "$($sasString.Substring(1))" # removing '?' in the token string
echo $sasToken
Generate Shared Access Signature using Azure Portal
- Go to Azure portal > Resource groups > Select storage account
- “Settings” section > Shared access signature