Powershell connect to Azure blob using SAS instead of key

2
votes

I have a script that is working to obtain a file from a blob based on the storage account name and key (which I realize is not a good solution), into temp storage. I'm trying to move to do the same thing (getting the same file) but using a SAS token instead. Within the storage account there's a container called "automationparams", and then within that container is a file called "nsgscript.ps1".

I generated a SAS token for the container, but couldn't figure out a way to generate a token for the entire storage account; it had to be at the container level of below (individual file).

So the old script (which WORKS) was:

$StorageAccountName = "storagename"
$StorageAccountKey = "abcdefghijkstorageaccountkeyhere"
$ContainerName = "automationparams"
$Blob1Name = "nsgscript.ps1"
$TargetFolderPath = ($env:TEMP)

$context = New-AzureStorageContext `
-StorageAccountName $StorageAccountName `
-StorageAccountKey $StorageAccountKey

$result = Get-AzureStorageBlobContent `
-Blob $Blob1Name `
-Container $ContainerName `
-Context $context `
-Destination $TargetFolderPath

This would download the nsgscript.ps1 in the automationparams container in the storageName storage account.

This is the script i'm trying which gets the storagecontext using a SAS token:

$StorageAccountName = "storagename"
$Blob1Name = "nsgscript.ps1"
$TargetFolderPath = ($env:TEMP)

$context = New-AzureStorageContext -StorageAccountName $StorageAccountName -SASToken "https://storagelocation.blob.core.windows.net/automationparams?st=2018-10-25T19%3A57%3A00Z&se=2020-10-26T19%3A57%3A00Z&sp=rl&sv=2018-03-28&sr=c&sig=abcdefghijklmnorestofkey"

$result = Get-AzureStorageBlobContent `
-Blob $Blob1Name `
-Container $ContainerName `
-Context $context `
-Destination $TargetFolderPath

When I run that, I get this error message: Get-AzureStorageBlobContent : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. At line:1 char:11

Any ideas?

2
azurepowershellazure-storage-blobs
Might not be your issue but check to see if you have the latest version of powershell, also check the SAS token using Storage Explorer.Ken W MSFT

2 Answers

0
votes

I can run your scrips on my side properly. You may check the followings on your side.

  • Make sure you use a storage account level SAS token, you can find it from your storage account page, Click the Generate SAS and connection string. Then copy the SAS token in your scripts. enter image description here
  • Update the AzureRM module to the latest version. Powershell cmdlets work on 5.5.0 and later.
  • Add the -debug parameter to look for some clues from the debug log.

For more reference, you can see this question.

2
votes

I believe the problem is because you're specifying the URL in SAS Token

$context = New-AzureStorageContext -StorageAccountName $StorageAccountName -SASToken "https://storagelocation.blob.core.windows.net/automationparams?st=2018-10-25T19%3A57%3A00Z&se=2020-10-26T19%3A57%3A00Z&sp=rl&sv=2018-03-28&sr=c&sig=abcdefghijklmnorestofkey"

Try to replace the code above with following:

$context = New-AzureStorageContext -StorageAccountName $StorageAccountName -SASToken "st=2018-10-25T19%3A57%3A00Z&se=2020-10-26T19%3A57%3A00Z&sp=rl&sv=2018-03-28&sr=c&sig=abcdefghijklmnorestofkey"