Powershell connect to Azure blob using SAS instead of key

Question

I have a script that is working to obtain a file from a blob based on the storage account name and key (which I realize is not a good solution), into temp storage. I'm trying to move to do the same thing (getting the same file) but using a SAS token instead. Within the storage account there's a container called "automationparams", and then within that container is a file called "nsgscript.ps1".

I generated a SAS token for the container, but couldn't figure out a way to generate a token for the entire storage account; it had to be at the container level of below (individual file).

So the old script (which WORKS) was:

$StorageAccountName = "storagename"
$StorageAccountKey = "abcdefghijkstorageaccountkeyhere"
$ContainerName = "automationparams"
$Blob1Name = "nsgscript.ps1"
$TargetFolderPath = ($env:TEMP)

$context = New-AzureStorageContext `
-StorageAccountName $StorageAccountName `
-StorageAccountKey $StorageAccountKey

$result = Get-AzureStorageBlobContent `
-Blob $Blob1Name `
-Container $ContainerName `
-Context $context `
-Destination $TargetFolderPath

This would download the nsgscript.ps1 in the automationparams container in the storageName storage account.

This is the script i'm trying which gets the storagecontext using a SAS token:

$StorageAccountName = "storagename"
$Blob1Name = "nsgscript.ps1"
$TargetFolderPath = ($env:TEMP)

$context = New-AzureStorageContext -StorageAccountName $StorageAccountName -SASToken "https://storagelocation.blob.core.windows.net/automationparams?st=2018-10-25T19%3A57%3A00Z&se=2020-10-26T19%3A57%3A00Z&sp=rl&sv=2018-03-28&sr=c&sig=abcdefghijklmnorestofkey"

$result = Get-AzureStorageBlobContent `
-Blob $Blob1Name `
-Container $ContainerName `
-Context $context `
-Destination $TargetFolderPath

When I run that, I get this error message: Get-AzureStorageBlobContent : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. At line:1 char:11

Any ideas?

Answer 1

I believe the problem is because you're specifying the URL in SAS Token

$context = New-AzureStorageContext -StorageAccountName $StorageAccountName -SASToken "https://storagelocation.blob.core.windows.net/automationparams?st=2018-10-25T19%3A57%3A00Z&se=2020-10-26T19%3A57%3A00Z&sp=rl&sv=2018-03-28&sr=c&sig=abcdefghijklmnorestofkey"

Try to replace the code above with following:

$context = New-AzureStorageContext -StorageAccountName $StorageAccountName -SASToken "st=2018-10-25T19%3A57%3A00Z&se=2020-10-26T19%3A57%3A00Z&sp=rl&sv=2018-03-28&sr=c&sig=abcdefghijklmnorestofkey"

Answer 2

I can run your scrips on my side properly. You may check the followings on your side.

• Make sure you use a storage account level SAS token, you can find it from your storage account page, Click the Generate SAS and connection string. Then copy the SAS token in your scripts.
• Update the AzureRM module to the latest version. Powershell cmdlets work on 5.5.0 and later.
• Add the -debug parameter to look for some clues from the debug log.

For more reference, you can see this question.