Generate SAS token to access Azure Storage

Aug 31, 2017. | By: Owen Davies

When you create an Azure Storage account to store files in a container you can set the permissions to what ever access level you want, and you can generate tokens to access the blob storage account with set periods of time. That’s what we’re going to do here today.

0. Login to your Azure account

Lets first login to your Azure Account using the Login-AzureRmAccount command. A prompt asking for email address, and then password will popup.

Login-AzureRmAccount

1. Create a new Resource Group

Now we need to create a new Resource Group for our storage account to live in. The naming of this can be anything you like.

$resourceGroupName = "NewResourceGroup"
$location = "West Europe"

New-AzureRmResourceGroup -Name $resourceGroupName -Location $location -Verbose -Force

2. Create a new Storage Account

Now for the creation of the actual storage account, the name for this needs to be globally unique in the whole of Azure. This is because it has a URL to access it, so you will need to change the below storageAccountName or you will receive an error.

$storageAccountName = "storageaccountsas"

New-AzureRmStorageAccount -Name $storageAccountName -ResourceGroupName $resourceGroupName -Location $location -SkuName "Standard_LRS"

3. Upload a file

We’re going to create a txt file with some text in, create a container (which is just a like a folder structure) in our storage account, then upload the individual file we just created.

echo some-text  > filename.txt

$containerName = "upload"
$storageAccount = (Get-AzureRmStorageAccount | Where-Object{$_.StorageAccountName -eq $storageAccountName})
New-AzureStorageContainer -Name $containerName -Context $storageAccount.Context -ErrorAction SilentlyContinue *>&1

$folderPath = (Get-Item -Path ".\" -Verbose).FullName
$SourcePath = $folderPath + "\filename.txt"

Set-AzureStorageBlobContent -File $SourcePath -Blob $SourcePath.Substring($folderPath.length + 1) -Container $containerName -Context $storageAccount.Context -Force | out-null

4. Generate a SAS token for 12 hours

Now that we have our file uploaded, we need to generate a SAS token for to access our file, we’re going to set the expiry of this to 12 hours, but this can be changed to whatever you need.

Set-AzureRmCurrentStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName | out-null
$sasToken = New-AzureStorageContainerSASToken -Name $containerName -Permission r -Protocol HttpsOnly -ExpiryTime (Get-Date).AddHours(12)

$sasToken

Test we can access it with SAS token

First lets test that the file is still private and not accessable to the public.

Open a new browser window and try browsing to http://storageaccountsas.blob.core.windows.net/upload/filename.txt

You should be greated with the following message:

<Error>
<Code>ResourceNotFound</Code>
<Message>
The specified resource does not exist. RequestId:86e3247c-101e-00fa-37d7-060e24000000 Time:2018-06-18T07:41:07.3620454Z
</Message>
</Error>

Azure is giving nothing away here, it just says resource does not exist, as you do not have the permissions to access it.

Test with the new SAS Token

If you open up a new browser and type in the location of the newly uploaded file with the sasToken added to the end, mine is https://storageaccountsas1.blob.core.windows.net/upload/filename.txt?sv=2017-07-29&sr=c&sig=tG3bkXUNUxGa3IwXosTgweQo7XAOChPF4%2FCdYTm4%2Fmc%3D&spr=https&se=2018-06-18T19%3A44%3A40Z&sp=r

It should now download the filename.txt to your computer.

The whole script

### 1. CREATE A NEW RESOURCE GROUP
$resourceGroupName = "NewResourceGroup"
$location = "West Europe"

New-AzureRmResourceGroup -Name $resourceGroupName -Location $location -Verbose -Force

### 2. CREATE A NEW STORAGE ACCOUNT
$storageAccountName = "storageaccountsas"

New-AzureRmStorageAccount -Name $storageAccountName -ResourceGroupName $resourceGroupName -Location $location -SkuName "Standard_LRS"

### 3. UPLOAD A FILE
echo some-text  > filename.txt

$containerName = "upload"
$storageAccount = (Get-AzureRmStorageAccount | Where-Object{$_.StorageAccountName -eq $storageAccountName})
New-AzureStorageContainer -Name $containerName -Context $storageAccount.Context -ErrorAction SilentlyContinue *>&1

$folderPath = (Get-Item -Path ".\" -Verbose).FullName
$SourcePath = $folderPath + "\filename.txt"

Set-AzureStorageBlobContent -File $SourcePath -Blob $SourcePath.Substring($folderPath.length + 1) -Container $containerName -Context $storageAccount.Context -Force | out-null

### 4. GENERATE A SAS TOKEN FOR 12 HOURS
Set-AzureRmCurrentStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName | out-null
$sasToken = New-AzureStorageContainerSASToken -Name $containerName -Permission r -Protocol HttpsOnly -ExpiryTime (Get-Date).AddHours(12)

$sasToken

Conclusion

SAS Tokens can be used throughout your powershell scripts and within your ARM templates to access files in your storage account, often other commands will have a -sastoken property.

Comments

About

Founded in 2009, Odity is a software consultancy based in the United Kingdom.

Social Links

Our Bunker

United Kingdom.