Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,102 questions
Key Vault Service SAS token, container level, for Data Factory
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 39%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
James Reynolds
1
Reputation point
Hi All,
I'm trying to put together a solution for reading and writing to a container using a service sas token managed by keyvault. I've been through all the setup. There are quite a few web pages about account sas which I can get working, not so many about service sas. When key vault generates the sas token for me, there is always a problem with it.
Has anyone actually got it working please?
So, I've followed the instructions here which already had container level service sas specified
To prove it works, I'm using a managed identity authed web activity in DF to get the sas token value out of key vault, so I can see the generated token. I then attach my url for the storageaccount/container to the token and try to connect using azure storage explorer.
I get Server failed to authenticate the request :-(
I assume this is user error, or there is some quirk or other that I need to do.
Any advice appreciated.
Thanks
Jim
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Saurabh Sharma 23,671 Reputation points Microsoft Employee2020-12-05T00:32:41.17+00:00 @James Reynolds Thanks for using Microsoft Q&A.
I have not tried using web activity to get the SAS token however, I am able to connect to Azure Key Vault using linked services using SAS token. I have setup this Azure Key Vault to access the storage account using SAS tokens by following the steps mentioned in the link using the document -
- Give Key Vault Access to Storage Account
- Give your user principal access to all storage account permissions, on your Key Vault instance
- Create a Key Vault Managed storage account
- Create a Shared Access Signature Token
- Generate SAS Definition
Also, while connecting from ADF Linked Service I am passing the secret name as - <Storage Account Name>-<SAS DefinitionName>.
Please try and let me know if this works for you.
-
James Reynolds 1 Reputation point
2020-12-08T12:35:34.787+00:00 Hi @Saurabh Sharma ,
Thanks for your response, can you confirm for me please, that this is a service sas token and has restricted access to a container only? I do get a token out but it doesn't work, but account sas does work which is my sticking point.
Thanks
Jim -
Saurabh Sharma 23,671 Reputation points Microsoft Employee
2020-12-08T18:05:53.14+00:00 @James Reynolds ok, I have used an account SAS token only. I have to check with the service sas token if that's the issue.
-
Saurabh Sharma 23,671 Reputation points Microsoft Employee
2020-12-09T01:22:32.483+00:00 @James Reynolds I tried with service SAS token and I see issues while testing the connection. I am checking internally if this is supported or if I am doing something wrong. I will get back to you on this issue.
-
James Reynolds 1 Reputation point
2020-12-09T10:11:49.93+00:00 Thanks, this page
https://learn.microsoft.com/en-us/cli/azure/keyvault/storage/sas-definition?view=azure-cli-latest
Search for section "az keyvault storage sas-definition create"The third example is for this exactly, unless I have misinterpreted
Sub-section "Add a sas-definition for a container sas-token"
$sastoken = az storage container generate-sas --account-name storageacct --account-key 00000000 -n container1 --https-only --permissions rw
$url = "https://{storage-account-name}.blob.core.windows.net/{container-name}" # The prefix of your blob url
az keyvault storage sas-definition create --vault-name vault --account-name storageacct -n rwcontaineraccessWhich leads me to think it is supported. But I don't think this is any different to the other link in the post at the start of the thread. Neither way gives me a working service SAS token.
I appreciate your time looking at this.
Thanks
Jim -
Saurabh Sharma 23,671 Reputation points Microsoft Employee
2020-12-09T12:57:07.253+00:00 @James Reynolds Thanks for sharing it. Yes, I have also used az storage container generate-sas to generate a container SAS token and faced issues like yours. I am checking internally on the same. I will keep you posted with the updates. Thanks.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
HimanshuSinha-msft 19,376 Reputation points Microsoft Employee2020-12-23T19:20:41.467+00:00 Hello @James Reynolds ,
At ths time we are not getting much traction on this issue from the internal team and so I suggest
if you have a support plan you may file a support ticket, else could you please send an email
to AzCommunity@microsoft.com with the below details,
so that we can create a one-time-free support ticket for you to work closely on this matter.
Thread URL:
Subscription ID:
Subject:Attention :Himanshu / Saurabh
Please let me know once you have done the same
Thanks
Himanshu -
Saurabh Sharma 23,671 Reputation points Microsoft Employee
2020-12-29T18:55:51.61+00:00 @James Reynolds Please let me know if you need any help on creating a support ticket ?
Sign in to comment