Login/Register
List existing SASTokens on a container using Azure powershell
Asked Answered
Solved powershellazureazure-storageazure-powershellazure-blob-storage
A

4

7

When creating a SASToken via powershell it retunrs the created SAS token url from New-AzureStorageContainerSASToken comdlet.

$Context = New-AzureStorageContext -StorageAccountName $StorageAccount -StorageAccountKey $StorageAccountKey                                                        
$now = Get-Date

$sasUrl = New-AzureStorageContainerSASToken -Name mycontainer -Permission rwdl -StartTime $now.AddHours(-1) -ExpiryTime $now.AddMonths(1) -Context $context -FullUri  
echo $sasUrl

But now in case I lost it, how can I list the exiting SASTokens? You may have few on the same container.

Tried Get-AzureStorageContainer but this information is unavailable.
Played with other Get-AzureStorage* and failed to find it.
Is this operation supported via powershell?

Alurta answered 22/12, 2015 at 8:14 Comment(0)
J
12

It is not possible to get the list of SAS URLs because they are not stored anywhere in Azure Storage.

Jerilynjeritah answered 22/12, 2015 at 11:16 Comment(8)
Meaning, if I lost them, I have to recreate them all?Alurta
That is correct. Please remember that SAS tokens are meant for granting temporary access to your storage.Jerilynjeritah
Can you provide some reference for this behavior in the docs?Alurta
I looked up the documentation but unfortunately I couldn't find it anywhere where it explicitly states that SAS URLs are not stored anywhere. I guess you will just have to take my word for it :). If you're interested, please read the following: azure.microsoft.com/en-us/documentation/articles/…. HTH.Jerilynjeritah
what happens if a token was stolen. now I can't delete it. but someone may use it. so I will have to delete the container.Alurta
Deleting container is an option or you could change the account key. Please read the best practices section in the link I included. It talks about this scenario.Jerilynjeritah
Note that you can always create a SAS token that is based on an access policy. In contrast to the SAS, the access policies are stored on the storage account and can always be modified. E.g. you could delete the access policy. This would make every SAS based on it useless. Advantage is you don't have to touch the account key.Tica
@HaimRaman if the SAS token is stolen you can revoke them all without deleting the container using "Revoke-AzStorageAccountUserDelegationKeys -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> See this: learn.microsoft.com/en-us/azure/storage/blobs/… However using an access policy is preferable. as per comment from Manu.Resuscitator
T
4

Probably a bit late.... but on this page: https://learn.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1

It says: "The SAS token generated by the storage client library is not tracked by Azure Storage in any way. You can create an unlimited number of SAS tokens on the client side."

HTH! Paul

Timms answered 24/11, 2016 at 11:52 Comment(0)
Q
0

With Powershell perhaps not, but Perhaps possible with the REST API: https://learn.microsoft.com/en-us/rest/api/storagerp/storageaccounts/listaccountsas

For the POST request, some of the request body parameters are REQUIRED to be filled which will need trial and error as you may not remember for what duration the SAS was allowed for. But provided all the values at https://learn.microsoft.com/en-us/rest/api/storagerp/storageaccounts/listaccountsas#request-body are somehow documented , then it should be programmatically possible to get the SAS token itself.

Quickman answered 30/7, 2020 at 5:55 Comment(0)
H
0

I think you don't understand how SAS token works: Generated SAS tokens are not stored anywhere because when you generate a SAS token, no call is made to the Azure Storage server. This is just a local calculation based on the secret key (like an asymetrical encryption with public and private key)

Honorable answered 12/7, 2022 at 9:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.