SAS URI Token- Creation, Extension & Revokation
Modified on: Mon, Dec 2 2024 6:00 PMSAS = Shared Access Signature
Overview
Why: Allows us to create custom security at a granular level for Azure Storage to
- Specific folder/file (e.g., a folder within a container)
- Specific action (Read, List, Delete, Write, ….)
- Provide to a specific person (whoever has the URI --- manage security via control over who has access to the URI)
This is finer control than storage account level Keys that give full access to the full account (all containers, etc.)
Process Steps
Summary
1. Create a Container / Folder in Azure Storage
2. Create a Policy using the Azure Storage Explorer desktop application
3. Run Power Shells script to generate a URI that provides access to the policy
1 – Create Container
No detail here - we know how to do this.
2 – Create Policy
- Open Azure Storage Explorer
- Navigate to the container/folder you want to create a policy on
- in the "Actions" tab, click on "Manage Access Policies…"
- Click the "Add" button
- Limit of 5? In the desktop app – may need to pursue other methods via scripting
- Done - ready to create URI in next section
3 – Creature URI
1. Open Power Shell template. See file "Azure Storage Generate SAS Demo Template.ps1" (in BTech Private Site - Products and Services Documentation).
The current use case where Data Office is generating SAS token is to support Autodesk Connector copy activity. This token is generated to authenticate Boomi to access storage container field2-inbox. See script: Boomi-Field2-inbox-SAS-Token-Script
2. Modify the variable declarations for your storage/container/folder:
Variable |
Description |
Example |
$SubscriptionID |
|
"b3e29c6c-055b-493c-b486-f56bd388bd6b" # Swinerton |
$TenantID |
|
"5d793645-a4cb-4dc9-90f2-c691a6fb6f16" #Swinerton |
$ResourceGroupName |
|
"WU-DATAOFFICE-QA-RG" |
$StorageAcctName |
|
"swinfieldmanagementdev" |
$ContainerName |
|
"field2-inbox" |
$PolicyName |
|
"field2-inbox-DEMO" |
$Baseurl |
|
"https://swinfieldmanagementdev.blob.core.windows.net/" |
3. Open Windows PowerShell ISE (As Administrator). Run this command to allow for the scripts to run: Set-ExecutionPolicy RemoteSigned [SV1]
4. Run the updated script & Observe the generated SAS URI:
4-Renew SAS URI Token
https://stackoverflow.com/questions/68671540/refresh-sas-token-for-azure-blob-storage
Examples
How to Test the token?
Tool for Testing: Azure Storage Explorer
- Open the Connect Dailog on the left side of the pane. This will open a pop out window
- Select Resource> ADLS Gen2 container or directory.
- Select Shared Access Signature URL (SAS).
- Enter Connection Info
- Confirm you are able to perform read , write or any other activity that is included in the permissions for the SAS token.
Related Processes
How to view SAS Policies
SAS policies can be viewed using:
- Azure Storage Container:
- Right click on storage container
- View Manage Access Policies
- Powershell script.
The current script for generating SAS URI token includes a cmdlet to return all access policies on a container (Line 32)
Get-AzStorageContainerStoredAccessPolicy -Container $ContainerName -Context $storagecontainerContext ## list policy for container
Inventory generated URI's
How to Extend Expired SAS Policies
Known Issue + Fix: "Not Digitally signed"
If you get an error saying ".ps1 is not digitally signed. The script will not execute on the system.", run the script below:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
(via: https://caiomsouza.medium.com/fix-for-powershell-script-not-digitally-signed-69f0ed518715)
Open Questions
- Can you create a policy with no start/end date?
Prerequisites
PowerShell Modules needed to be installed:
Az.Storage
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force -AllowClobber
Debugging:
Error: cannot be loaded because running scripts is disabled on this system.
Run this command: Set-ExecutionPolicy RemoteSigned