Microsoft Azure Storage and Database Part 11 – Get Shared Access Signature (SAS) Using PowerShell
Hope you all are doing good !!! 🙂 .
In one of our previous article we have discussed how to Configure Stored Access Policy Using PowerShell. Today in this article we will discuss how to get Shared Access Signature (SAS) URI using PowerShell
Previous Azure series :
- Learn Basics Of Azure Networking In 60 Hours
- Learn Basic Of Azure Active Directory And Azure Identity And Access Management
- Azure DevOps – Learn at one place
If you have missed our previous articles on Azure Storage and Database Series, please check it in following links.
- Part 1 – Overview Of Azure Storage and Database
- Part 2 – Azure Storage Account
- Part 3 – Azure Blob Storage
- Part 4 – Work With Azure Blob Storage
- Part 5 – Storage Explorer For Azure Storage
- Part 6 – Azure Blob Storage – Snapshot Using Storage Explorer
- Part 7 – Azure Blob Storage – Shared Access Signature (SAS)
- Part 8 – Secure Azure Storage Using Stored Access Policy
- Part 9 – Secure Azure Storage Using RBAC
- Part 10 – Configure Stored Access Policy Using PowerShell
Work With Azure Storage Using PowerShell :
In our previous articles, we have discussed how to secure our storage account data using different approaches. Today in this article, we will get SAS URL using PowerShell. To proceed with PowerShell we need to install required Azure modules. So let’s go through the following steps.
Step 1 – We need to make sure that we have the latest version of PowerShellGet installed. We can consider it, as one of the pre-requisite to configure powershell for Azure. Run the following command in Window powershell to install the latest version and close the PowerShell window after installing PowerShellGet.
Install-Module PowerShellGet –Repository PSGallery –Force
Step 2 – To proceed with PowerShell, We must install powershell Az Module, which provide support to work with Azure resources . Reopen the PowerShell window and run the following command.
Install-Module Az –Repository PSGallery –AllowClobber
Step 3 – Now to work with Azure Storage, we need to install Azure Storage PowerShell module by executing the following command.
Install-Module -Name Az.Storage -Repository PSGallery -Force
Step 4 – Az.Storage powershell module version should be 3.2.0 or later. To check which version of the Az.Storage module is installed, run the following command as showing in the following figure.
Get-Module -ListAvailable -Name Az.Storage -Refresh
Step 5 – Now we are ready to work for storage account using powershell. We have a use case, where we will assign role ( Storage Blob Data Contributor) to our new employee (Uday Joshii) so that he could perform this (Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey ) action.
First login to azure as administrator (Manas Moharana) to assign required role to our new employee as showing in the following figure.
Step 6 – Run following command to assigns the Storage Blob Data Contributor role, which includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action.
New-AzRoleAssignment -SignInName firstname.lastname@example.org -RoleDefinitionName “Storage Blob Data Contributor” -Scope “/subscriptions/04xxa5-7xxxxxx18-XXXXX8-a21xxxxxxx19/resourceGroups/StorageAndDatabase/providers/Microsoft.Storage/storageAccounts/kj21storageacount”
Get Shared Access Signature Using PowerShell :
Step 1 – As we can see in the above figure, now Uday Joshii has storage Blob Data Contributor role. So he could ask for a SAS URI. Let’s login to Uday Joshii’s account using following command and providing Uday’s credential.
Step 2 – To Get a user delegation SAS token URI for a container, we need to pass the Azure Storage context object , Start Time, Expire Time, Permission and container name. So let’s create those object one by one as following commands .
$ctx = New-AzStorageContext -StorageAccountName kj21storageacount -UseConnectedAccount
$StartTime = Get-Date
$EndTime = $startTime.AddDays(2)
Step 3 – Now we have all the required information to get the SAS URI by executing the following command.
$containerSASURI=New-AzStorageContainerSASToken -Context $ctx -Name kj-container -Permission racwdl -StartTime $StartTime -ExpiryTime $EndTime
In the above figure we can see we have the SAS Uri as query string. Now we can append the query string to every blob’s URL to access the blog for that allocated time frame as showing in the following figure. the Url should be :
Blob url + SAS URI
Following figure showing the result, that we can access the blob from that container using the SAS URI.
Get Shared Access Signature Based On Stored Access Policy Using PowerShell :
Now let’s see how to get SAS URI based on Stored Access Policy using PowerShell. In our last article we have configured Stored Access Policy using PowerShell. In our example , we will use that Stored Access Policy in our following command as an argument and get the SAS URI As shown in the following figure.
###########Use Recently created Stored Access Policy#############FourDays-rwdl-Access_KJ-Container###############3
$containerSASURI=New-AzStorageContainerSASToken -Name “kj-container” -Policy “FourDays-rwdl-Access_KJ-Container” -Context $ctx4
After getting the SAS URI, we can use with our blob Url as we have done in previous section.
I hope this is informative to you. Please let me know if I missed anything important or if my understanding is not up to the mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .