Generate Azure Storage Account SAS Key using PowerShell - powershell

I am trying to generate an azure storage account shared access key so that i can use it with azcopy to retrieve files from all containers in my storage account.
I have generated a key successfully using the Azure Portal and proven this works with azcopy
But i am struggling to get an equivalent key to generate using PowerShell that works.
Powershell Query
az storage container generate-sas --account-name $SaName --account-key $accountKey --permissions 'rl' --start $start --expiry $expiry --name $SaName --https-only --output tsv
Azure Portal (GUI) Result
sv=2019-12-12
&ss=b
&srt=sco
&sp=rl
&se=2021-02-08T17:40:26Z
&st=2021-02-08T09:40:26Z
&spr=https
&sig=REDACTED
Powershell Result
st=2021-02-08T17%3A17%3A47Z
&se=2021-02-08T17%3A47%3A47Z
&sp=rl
&spr=https
&sv=2018-11-09
&sr=c
&sig=REDACTED
I guess the first problem is that i have not found a way of adding the missing and ss=b srt=sco (not sr) there doesn't seem to be those parameters available, perhaps if they were there the sig would have the correct hash.
I have tried this in Azure Cloudshell as well as on my own machine with az 1.12.1

The command az storage container generate-sas is not powershell command, it's azure cli command.
Because in Azure portal, you're generating an account level sas-token, but in azure cli, you're actually generating a container level sas-token by using az storage container generate-sas.
To generate an account level sas-token, you should use this azure cli command: az storage account generate-sas.
The sample like below:
az storage account generate-sas --account-key "xxxxx" --account-name your_storage_account_name --expiry 2020-02-10 --https-only --permissions rl --resource-types sco --services b
Here is the test result, the ss=b srt=sco are generated:
If you want to use powershell to generate an account level sas-token, please use this powershell command: New-AzStorageAccountSASToken. The sample is as below(you can add other parameters as per your need):
$account_name = "yy1"
$account_key = "xxxxxxx"
$context = New-AzStorageContext -StorageAccountName $account_name -StorageAccountKey $account_key
#you can also add other parameter as per your need, like StartTime, ExpiryTime etc.
New-AzStorageAccountSASToken -Service Blob -ResourceType Service,Container,Object -Permission rl -Context $context
Here is the test result:

Related

Devops - Linked ARM template - Geneate blob storage SAS toekn using powershell

I'm trying to deploy linked ARM template using devops.
Instead of hard coding SAS token, I would like to generate SAS token using powershell script but I'm not familiar with using powershell to generate blob SAS token.
Any help with this powershell will be appreciated!
Updated 0512:
If you want to get the account key automatically, you should take use this cmdlet Get-AzStorageAccountKey.
The example:
1.Get both of the key1 and key2 of your storage account:
Get-AzStorageAccountKey -ResourceGroupName "your_resourceGroupName" -Name "your_storageAccountName"
Test result:
2.Get the key1 of your storage account:
$s=Get-AzStorageAccountKey -ResourceGroupName "your_resourceGroupName" -Name "your_storageAccountName"
$s[0].Value
Test result:
Original answer:
If you're using azure powershell az module, then you can use New-AzStorageBlobSASToken cmdlet.
Sample code:
$accountName="xxx"
$accountKey="xxxx"
$context=New-AzStorageContext -StorageAccountName $accountName -StorageAccountKey $accountKey
New-AzStorageBlobSASToken -Container "ContainerName" -Blob "BlobName" -Permission rwd -Context $context
Test result:

Publish Test Results on Azure from Azure Storage account

I have a container that creates a report.xml file that I wish to use to create a test report in Azure.
I was thinking to do this during the pipeline, but I am missing how to get this file during the Azure pipeline.
What is the way to download a file in storage account and use it on a Test Result during the pipeline?
If I understood, you want to copy a file from blob storage in pipeline?
For that you can use Azure Cli task with this command:
az storage blob download
But can you esplain what you mean by this use it on a Test Result during the pipeline??
Try to use Azure Powershell to handle this get files from Azure Storage Blob:
$storage = Get-AzStorageAccount -ResourceGroupName xxx -Name yyy
$ctx = $storageAccount.Context
# download blob
Get-AzStorageblobcontent -Blob "report.xml" `
-Container $containerName `
-Destination " $(System.DefaultWorkingDirectory)" `
-Context $Context
According to this question:How to copy a file from Azure Storage fileshare to Release pipeline agent
Seems you were trying to download file from Azure File share (not blob), please simply refer my reply in that link.
After some digging this is the solution.
What I have done is mount a Storage volume during the container instances to my container that generates the report.
Afterwards in the pipeline I have copied the files that are stored in the storage account to the Pipeline agent.
$storageAcct = Get-AzStorageAccount -ResourceGroupName XXX -Name YYY
Get-AzStorageFileContent -Context $storageAcct.context -ShareName "Sharename" -Path "report.xml" -Destination $(System.DefaultWorkingDirectory)
Then its just matter of getting that files from the agent when using the test reporter during the release pipeline.

Azure CLI (PS) | az storage blob generate-sas | Https connection failure

I am using the Azure CLI to create a blob level user delegated SAS, using steps from this article.
I have hidden the name of my storage account for the purpose of this post.
The PowerShell az storage blob generate-sas cmdlet is returning;
HTTPSConnectionPool(host='https', port=443): Max retries exceeded with
url:
//storeageAccountName.blob.core.windows.net?restype=service&comp=userdelegationkey
(Caused by
NewConnectionError(': Failed to establish a new connection: [Errno -2]
Name or service not known',))
and I noticed that the URL = //storeageAccountName.blob.core.windows.net, and not, https://storeageAccountName.blob.core.windows.net.
The PowerShell code:
$sasToken = az storage blob generate-sas `
--account-name $storageAccount `
--container-name $container `
--name $blob `
--permissions acdrw `
--expiry "2020-04-10T14:50Z" `
--auth-mode login `
--as-user `
--full-uri
The Azure CLI mode was set to classic and not set to ARM.
Ran azure config mode arm.
Executed az storage blob generate-sas again and SAS was returned.

Function to move/delete files within file share in Azure Storage Explorer?

I'm not proficient in Powershell yet, so please bear with me if I use the incorrect terminology.(And please correct me if I do.)
I have installed the Az and Azure.Storage modules.
I have also connected to my account using Connect-AZAccount (Is this the best way? Since you need to copy the URL and login via a browser)
Then I was just trying to view the files, to test the connection. Using Get-AzureStorageFile
This prompts me for a sharename - I used the name of the folder under File Shares in Azure Storage Explorer. But this failed, see failure below
cmdlet Get-AzureStorageFile at command pipeline position 1 Supply
values for the following parameters: (Type !? for Help.) ShareName:
bss get-azurestoragefile : Could not get the storage context. Please
pass in a storage context or set the current storage context.
Additional information to note, I do not have access to the Account Key, only the SAS Token.
Any help would be appreciated.
If you use Connect-AzAccount, you will use the Az module powershell Get-AzStorageFile instead of Get-AzureStorageFile. Before running the Get-AzStorageFile command, you need to pass the storage context with New-AzStorageContext to fix the error.
Sample:
$context = New-AzStorageContext -StorageAccountName "<StorageAccountName>" -StorageAccountKey "<StorageAccountKey>"
Get-AzStorageFile -ShareName "<ShareName>" -Path "<ContosoWorkingFolder>" -Context $context

Export bacpac to a Azure storage account using powershell

I'm trying to create a powershell script to backup a SQL database on Azure to a storage account as below,
$exportRequest = New-AzureRmSqlDatabaseExport -ResourceGroupName
$ResourceGroupName -ServerName $ServerName `
-DatabaseName $DatabaseName -StorageKeytype $StorageKeytype -StorageKey
$StorageKey -StorageUri $BacpacUri `
-AdministratorLogin $creds.UserName -AdministratorLoginPassword $creds.Password
This is the document i'm following,
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-export
I assume the following,
$ResourceGroupName - my azure resource group
$ServerName - db server name
$DatabaseName - database name
**$StorageKeytype - NOT SURE WHAT VALUE SHOULD BE PLACED HERE**
**$StorageKey - I'm hoping this is one of the access keys under the azure storage account**
$BacpacUri - Azure storage account bacpac URI path
Please advice what parameters need to passed here.
Please advice what parameters need to passed here.
StorageKey : Specifies the access key for the storage account.
StorageKeyType:
Specifies the type of access key for the storage account.
The acceptable values for this parameter are:
StorageAccessKey. This value uses a storage account key.
SharedAccessKey. This value uses a Shared Access Signature (SAS) key.
For more details, refer to this link.