Manage Security in Azure Blob Storage with Shared Access Signature(SAS) and create SAS using Azure CLI

In this tutorial I have executed all the below mentioned commands in Azure CLI. 

User can comment and uncomment any line as per the requirement. 

This must be the very first line in your bash script.

#!/bin/bash

In the first step you have to login to your Azure subscription account using 

below mentioned command. User can skip this command if already logged-in.

#Login to Azure subscription account

az login

After executing the command  user will see similar message on console.

"to sign in, use a web browser to open the page https://aka.ms/devicelogin 

and enter the code #h98mdtxxk to authenticate."

In the second step declare all the required variables at one place.

#Declare all variables at one place

resourceGroup="azurecertifications-resource-group"

blobStorageAccount="azstorageaccount02"

containerName="myfiles"

blobName="Desert.jpg"

To execute below command you must have storage account already created. 
Click this link to learn how to create Azure storage account 
using Azure CLI.

Below command will retrieve storage account access key and using 

this key we can create containers in that.

#Retrieve Blob Storage Account Access key. 

#Below command will return Storage Account 'key1'.

output=$(az storage account keys list --resource-group $resourceGroup 

--account-name $blobStorageAccount --query [0].value --output tsv)

Key is returned in 'key=name' format so needs to parse it with '=' delimiter.

#Parse Blob Storage Account Key by '=' delimiter

blobStorageAccountKey=$( cut -d '=' -f 1- <<< "$output" )

#Create containers in storage account and disable container public access

az storage container create --account-name $blobStorageAccount 

--account-key $blobStorageAccountKey --name $containerName --public-access off

#Upload a blob to a container 

#(This operation creates the blob if it doesn't already exist, and overwrites it if it does. )

az storage blob upload --account-name $blobStorageAccount --account-key 

$blobStorageAccountKey --container-name $containerName 

--file "C:\\Users\\Public\\Pictures\\Sample Pictures\\".$blobName

 #Lists the blob in a container

az storage blob list --account-name $blobStorageAccount --container-name 

$containerName --account-key $blobStorageAccountKey --output table

Below screenshot showing that I have only 1 file in 'myfiles" container 

in storage account. In addition command also displays file properties.

#Get the URL for the blob

blobURL=$(az storage blob url --account-name $blobStorageAccount --account-key 

$blobStorageAccountKey --container-name $containerName --name 

$blobName --output tsv)

echo $blobURL

#Verify Private Access of the blob

Copy above blob URL and Navigate to the blob's URL in a private browser 

window. You will be presented with a 'ResourceNotFound' error because 

the blob is private, and you have not included a shared access signature. 

See below screenshot

 

#Create a Shared Access Signature(SAS)  URI

Follow below 3 steps to create SAS URI.

# STEP 1: Get UTC datetimes for SAS start and expiry (Example: 2017-11-30T10:00:00Z)

sasStart=`date -u +'%Y-%m-%dT%H:%M:%SZ'`

sasExpiry=`date -u +'%Y-%m-%dT%H:%M:%SZ' -d '+500 minute'`

# STEP 2: Obtain a SAS token granting read (r) access between the SAS start and expiry times

sasToken=$(az storage blob generate-sas --account-name $blobStorageAccount --account-key 

$blobStorageAccountKey --container-name $containerName --name $blobName 

--start $sasStart --expiry $sasExpiry --permissions r --output tsv)

# STEP 3: Display the full SAS URI for the blob

echo $blobURL?$sasToken

After copying generated URL you can now try to download image 

file in any browser of your choice. I tested with one I generate 

and was able to view file in browser. See below screenshot.

One thing to note here is post SAS token expiration you will  get 

'AuthenticationFailed' exception in browser. 

All the steps which we have done here using Azure CLI you can 

do the same and manage Azure blob storage resources using 

Azure Storage Explorer. Use following Azure official link  for 

more details about Azure Storage Explorer.




Related Articles:

• Create Storage Account using Azure Power CLI
• Create Storage Account using Azure CLI