SAS URI Token- Creation, Extension & Revokation

SAS = Shared Access Signature

Overview

Why: Allows us to create custom security at a granular level for Azure Storage to

Specific folder/file (e.g., a folder within a container)
Specific action (Read, List, Delete, Write, ….)
Provide to a specific person (whoever has the URI --- manage security via control over who has access to the URI)

This is finer control than storage account level Keys that give full access to the full account (all containers, etc.)

Process Steps

Summary

1. Create a Container / Folder in Azure Storage

2. Create a Policy using the Azure Storage Explorer desktop application

3. Run Power Shells script to generate a URI that provides access to the policy

1 – Create Container

No detail here - we know how to do this.

2 – Create Policy

Open Azure Storage Explorer
Navigate to the container/folder you want to create a policy on
in the "Actions" tab, click on "Manage Access Policies…"
Click the "Add" button
1. Limit of 5? In the desktop app – may need to pursue other methods via scripting
Done - ready to create URI in next section

3 – Creature URI

1. Open Power Shell template. See file "Azure Storage Generate SAS Demo Template.ps1" (in BTech Private Site - Products and Services Documentation).

The current use case where Data Office is generating SAS token is to support Autodesk Connector copy activity. This token is generated to authenticate Boomi to access storage container field2-inbox. See script: Boomi-Field2-inbox-SAS-Token-Script

2. Modify the variable declarations for your storage/container/folder:

Variable

Description

Example

$SubscriptionID

"b3e29c6c-055b-493c-b486-f56bd388bd6b" # Swinerton

$TenantID

"5d793645-a4cb-4dc9-90f2-c691a6fb6f16" #Swinerton

$ResourceGroupName

"WU-DATAOFFICE-QA-RG"

$StorageAcctName

"swinfieldmanagementdev"

$ContainerName

"field2-inbox"

$PolicyName

"field2-inbox-DEMO"

$Baseurl

"https://swinfieldmanagementdev.blob.core.windows.net/"

3. Open Windows PowerShell ISE (As Administrator). Run this command to allow for the scripts to run: Set-ExecutionPolicy RemoteSigned [SV1]

4. Run the updated script & Observe the generated SAS URI:

4-Renew SAS URI Token

https://stackoverflow.com/questions/68671540/refresh-sas-token-for-azure-blob-storage

Examples

How to Test the token?

Tool for Testing: Azure Storage Explorer

Open the Connect Dailog on the left side of the pane. This will open a pop out window
Select Resource> ADLS Gen2 container or directory.
Select Shared Access Signature URL (SAS).
Enter Connection Info
Confirm you are able to perform read , write or any other activity that is included in the permissions for the SAS token.

Related Processes

How to view SAS Policies

SAS policies can be viewed using:

Azure Storage Container:

Right click on storage container
View Manage Access Policies

Powershell script.

The current script for generating SAS URI token includes a cmdlet to return all access policies on a container (Line 32)

Get-AzStorageContainerStoredAccessPolicy -Container $ContainerName -Context $storagecontainerContext ## list policy for container

Inventory generated URI's

https://swinerton.sharepoint.com/sites/privatesite_btech/System%20Documentation/SAS_URI_Inventory.xlsx?web=1

How to Extend Expired SAS Policies

Known Issue + Fix: "Not Digitally signed"

If you get an error saying ".ps1 is not digitally signed. The script will not execute on the system.", run the script below:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

(via: https://caiomsouza.medium.com/fix-for-powershell-script-not-digitally-signed-69f0ed518715)

Open Questions

Can you create a policy with no start/end date?

Prerequisites

PowerShell Modules needed to be installed:

Az.Storage

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force -AllowClobber

Debugging:

Error: cannot be loaded because running scripts is disabled on this system.

Run this command: Set-ExecutionPolicy RemoteSigned

[SV1]