An Azure blob SAS (Shared Access Signature) token is used in many places in order to access either a specific blob or a container. It’s simply a string made up of your storage account name and your storage account key. The whole point of the SAS token is that you can share it with anyone you like to give them access to blob storage without compromising your real underlining storage account key. The SAS token is in a format which can be used in a URI/URL. It is not a certificate and is not stored anywhere, it’s purely created/constructed and used straight after – and is normally stored in memory as part of a variable or can be shared with others and can contain an expiry date. More info here.
Below is a PowerShell script which you can use to help construct an Azure blob storage SAS token – this one focuses on grating access to blob containers.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Login to Azure manually | |
| Clear-AzureRmContext –Scope CurrentUser –Force | |
| Login–AzureRmAccount –TenantId '<Your Azure Tenant ID>' # Microsoft | |
| ### Choose Subscription | |
| $subscription = Get-AzureRmSubscription | Out-GridView –Title "Select the Azure subscription that you want to use …" –PassThru | |
| Select-AzureRmSubscription –SubscriptionId $subscription.id | |
| # Fill in these variables | |
| $StorageAccountName = '<YourStorageAccountName>' | |
| $StorageContainerName = '<YourStorageContainerName>' | |
| $StorageAccountKey = '<YourStorageAccountKey>' | |
| $BlobName = '/SomeFolder/file.ext' # this is to construct the SAS URI below so you can test | |
| $StgContext = New-AzureStorageContext –StorageAccountName $StorageAccountName –StorageAccountKey $StorageAccountKey | |
| $StartTime = Get-Date | |
| $EndTime = $startTime.AddHours(5.0) | |
| # Read access – https://docs.microsoft.com/en-us/powershell/module/azure.storage/new-azurestoragecontainersastoken | |
| $SasToken = New-AzureStorageContainerSASToken –Name $StorageContainerName ` | |
| –Context $StgContext –Permission rl –StartTime $StartTime –ExpiryTime $EndTime | |
| $SasToken | clip | |
| # Construnct the URL & Test | |
| $url = "$($StgContext.BlobEndPoint)$($StorageContainerName)$($BlobName)$($SasToken)" | |
| $url | clip | |
| Invoke-WebRequest –UseBasicParsing –Uri $url | Out-Null |
Marc Kean 