Set-AzureKeyVaultManagedStorageSasDefinition

Sets a Shared Access Signature (SAS) definition with Key Vault for a given Key Vault managed Azure Storage Account.

Warning

The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates.

Although the AzureRM module may still function, it's no longer maintained or supported, placing any continued use at the user's discretion and risk. Please refer to our migration resources for guidance on transitioning to the Az module.

Syntax

Set-AzureKeyVaultManagedStorageSasDefinition
   [-VaultName] <String>
   [-AccountName] <String>
   [-Name] <String>
   [-TemplateUri] <String>
   [-SasType] <String>
   [-Disable]
   [-Tag <Hashtable>]
   -ValidityPeriod <TimeSpan>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-AzureKeyVaultManagedStorageSasDefinition
   [-InputObject] <PSKeyVaultManagedStorageAccountIdentityItem>
   [-Name] <String>
   [-TemplateUri] <String>
   [-SasType] <String>
   [-Disable]
   [-Tag <Hashtable>]
   -ValidityPeriod <TimeSpan>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

Sets a Shared Access Signature (SAS) definition with a given Key Vault managed Azure Storage Account. This also sets a secret which can be used to get the SAS token per this SAS definition. SAS token is generated using these parameters and the active key of the Key Vault managed Azure Storage Account.

Examples

Example 1 : Set an account-type SAS definition, and obtain a current SAS token based on it

PS C:\> $sa = Get-AzureRmStorageAccount -Name mysa -ResourceGroupName myrg
PS C:\> $kv = Get-AzureRmKeyVault -VaultName mykv
PS C:\> Add-AzureKeyVaultManagedStorageAccount -VaultName $kv.VaultName -AccountName $sa.StorageAccountName -AccountResourceId $sa.Id -ActiveKeyName key1 -RegenerationPeriod 180
PS C:\> $sctx = New-AzureStorageContext -StorageAccountName $sa.StorageAccountName -Protocol Https -StorageAccountKey Key1
PS C:\> $start = [System.DateTime]::Now.AddDays(-1)
PS C:\> $end = [System.DateTime]::Now.AddMonths(1)
PS C:\> $at = New-AzureStorageAccountSasToken -Service blob,file,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup" -Protocol HttpsOnly -StartTime $start -ExpiryTime $end -Context $sctx
PS C:\> $sas = Set-AzureKeyVaultManagedStorageSasDefinition -AccountName $sa.StorageAccountName -VaultName $kv.VaultName -Name accountsas -TemplateUri $at -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(30))
PS C:\> Get-AzureKeyVaultSecret -VaultName $kv.VaultName -Name $sas.Sid.Substring($sas.Sid.LastIndexOf('/')+1)

Sets an account SAS definition 'accountsas' on a KeyVault-managed storage account 'mysa' in vault 'mykv'. Specifically, the sequence above performs the following:

  • gets a (pre-existing) storage account
  • gets a (pre-existing) key vault
  • adds a KeyVault-managed storage account to the vault, setting Key1 as the active key, and with a regeneration period of 180 days
  • sets a storage context for the specified storage account, with Key1
  • creates an account SAS token for services Blob, File, Table and Queue, for resource types Service, Container and Object, with all permissions, over https and with the specified start and end dates
  • sets a KeyVault-managed storage SAS definition in the vault, with the template uri as the SAS token created above, of SAS type 'account' and valid for 30 days
  • retrieves the actual access token from the KeyVault secret corresponding to the SAS definition

Parameters

-AccountName

Key Vault managed storage account name. Cmdlet constructs the FQDN of a managed storage account name from vault name, currently selected environment and manged storage account name.

Type:String
Aliases:StorageAccountName
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Disable

Disables the use of sas definition for generation of sas token.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

ManagedStorageAccount object.

Type:PSKeyVaultManagedStorageAccountIdentityItem
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Name

Storage sas definition name. Cmdlet constructs the FQDN of a storage sas definition from vault name, currently selected environment, storage account name and sas definition name.

Type:String
Aliases:SasDefinitionName
Position:2
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-SasType

Storage SAS type.

Type:String
Position:4
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Type:Hashtable
Aliases:Tags
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-TemplateUri

Storage SAS definition template uri.

Type:String
Position:3
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ValidityPeriod

Validity period that will get used to set the expiry time of sas token from the time it gets generated

Type:Nullable<T>[TimeSpan]
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-VaultName

Vault name. Cmdlet constructs the FQDN of a vault based on the name and currently selected environment.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSKeyVaultManagedStorageAccountIdentityItem

Parameters: InputObject (ByValue)

Outputs

PSKeyVaultManagedStorageSasDefinition