SAS token values differ in expected behavior when created using Azure CLI commands vs when created via Azure powershell commands

0
votes

I'm generating a SAS token to access the linked templates in my ARM deployment. And I'm passing the SAS Token as a parameter override to the az deployment command. Turns out that my template deployment fails with the error "Unable to download deployment content from 'https://myLinkedTemplateURL?SASToken'

First, I fetch the storageAccountKey stored in a keyvault:

$storeKey = az keyvault secret show --name "myStorageSecretName" --vault-name "myKeyVaultName" --query value
$storeKey  = $storeKey.Replace('"','')

Then, here's the two ways I'm generating the SAS Token:

  1. SAS token generate by this method succeeds the deployment

    $context = New-AzureStorageContext -StorageAccountName 'myStorageAccountName' -StorageAccountKey $storeKey $tokenval = New-AzureStorageContainerSASToken -Container builds -Permission rwdl -Context $context

  2. SAS token generate by this method fails the deployment

    $tokenval = az storage container generate-sas --account-key $storeKey --account-name "myStorageAccountName" --name "testcontainer" --permissions acdlrw --expiry (Get-Date).AddMinutes(30).ToString("yyyy-MM-dTH:mZ")

Also, I observe that the length of the SASToken generated by the second method is shorter than the first method.

Can someone please help shed some light on what's the difference between the above two methods and why one fails but the other succeeds?

1
azureazure-resource-managerazure-powershellazure-cli

1 Answers

1
votes
$tokenval = az storage container generate-sas --account-key $storeKey --account-name "myStorageAccountName" --name "testcontainer" --permissions acdlrw --expiry (Get-Date).AddMinutes(30).ToString("yyyy-MM-dTH:mZ")

As mentioned in the comments, the issue actually is with the SAS expiry date. You are getting the local date and formatting it in ISO 8601 format whereas you need to get the date/time value in UTC and format it.

Please try something like:

$tokenval = az storage container generate-sas --account-key $storeKey --account-name "myStorageAccountName" --name "testcontainer" --permissions acdlrw --expiry (Get-Date).ToUniversalTime().AddMinutes(30).ToString("yyyy-MM-dTH:mZ")
The problem I believe is because how you're definining the permissions (`acdlrw`). According to the [`documentation`][1], the permissions must be specified in a particular order. From this link: > Permissions can be combined to permit a client to perform multiple > operations with the same signature. **When you construct the SAS, you > must include permissions in the order that they appear in the table > for the resource type**. Based on this, can you try with the permissions in the following order - `racwdl`?