az keyvault storage sas-definition

Manage storage account SAS definitions.

Commands

az keyvault storage sas-definition create Creates or updates a new SAS definition for the specified storage account.
az keyvault storage sas-definition delete Deletes a SAS definition from a specified storage account.
az keyvault storage sas-definition list List storage SAS definitions for the given storage account.
az keyvault storage sas-definition list-deleted Lists deleted SAS definitions for the specified vault and storage account.
az keyvault storage sas-definition recover Recovers the deleted SAS definition.
az keyvault storage sas-definition show Gets information about a SAS definition for the specified storage account.
az keyvault storage sas-definition show-deleted Gets the specified deleted sas definition.
az keyvault storage sas-definition update Updates the specified attributes associated with the given SAS definition.

az keyvault storage sas-definition create

Creates or updates a new SAS definition for the specified storage account.

az keyvault storage sas-definition create --account-name
--name
--sas-type {account, service}
--template-uri
--validity-period
--vault-name
[--disabled {false, true}]
[--subscription]
[--tags]

Examples

Add a sas-definition for an account sas-token

$sastoken = az storage account generate-sas --expiry 2020-01-01 --permissions rw \
--resource-types sco --services bfqt --https-only --account-name storageacct     \
--account-key 00000000

az keyvault storage sas-definition create --vault-name vault --account-name storageacct   \
-n rwallserviceaccess --validity-period P2D --sas-type account --template-uri $sastoken

Add a sas-definition for a blob sas-token

$sastoken = az storage blob generate-sas --account-name storageacct --account-key 00000000 \ -c container1 -n blob1 --https-only --permissions rw
$url = az storage blob url --account-name storageacct -c container1 -n blob1

az keyvault storage sas-definition create --vault-name vault --account-name storageacct   \ -n rwblobaccess --validity-period P2D --sas-type service --template-uri $url?$sastoken

Required Parameters

--account-name

Name to identify the storage account in the vault.

--name -n

Name to identify the SAS definition in the vault.

--sas-type

The type of SAS token the SAS definition will create.

accepted values: account, service
--template-uri

The SAS definition token template signed with the key 00000000. In the case of an account token this is only the sas token itself, for service tokens, the full service endpoint url along with the sas token. Tokens created according to the SAS definition will have the same properties as the template.

--validity-period

The validity period of SAS tokens created according to the SAS definition in ISO-8601, such as "PT12H" for 12 hour tokens.

--vault-name

Name of the key vault.

Optional Parameters

--disabled

Add the storage account in a disabled state.

accepted values: false, true
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault storage sas-definition delete

Deletes a SAS definition from a specified storage account.

az keyvault storage sas-definition delete [--account-name]
[--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--account-name

Name to identify the storage account in the vault. Required if --id is not specified.

--id

Id of the SAS definition. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the SAS definition in the vault. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault storage sas-definition list

List storage SAS definitions for the given storage account.

az keyvault storage sas-definition list --account-name
--vault-name
[--maxresults]
[--subscription]

Required Parameters

--account-name

Name to identify the storage account in the vault.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault storage sas-definition list-deleted

Lists deleted SAS definitions for the specified vault and storage account.

az keyvault storage sas-definition list-deleted --account-name
--vault-name
[--maxresults]
[--subscription]

Required Parameters

--account-name

Name to identify the storage account in the vault.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault storage sas-definition recover

Recovers the deleted SAS definition.

az keyvault storage sas-definition recover --account-name
--name
--vault-name
[--subscription]

Required Parameters

--account-name

Name to identify the storage account in the vault.

--name -n

Name to identify the SAS definition in the vault.

--vault-name

Name of the key vault.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault storage sas-definition show

Gets information about a SAS definition for the specified storage account.

az keyvault storage sas-definition show [--account-name]
[--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--account-name

Name to identify the storage account in the vault. Required if --id is not specified.

--id

Id of the SAS definition. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the SAS definition in the vault. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault storage sas-definition show-deleted

Gets the specified deleted sas definition.

az keyvault storage sas-definition show-deleted --account-name
--name
--vault-name
[--subscription]

Required Parameters

--account-name

Name to identify the storage account in the vault.

--name -n

Name to identify the SAS definition in the vault.

--vault-name

Name of the key vault.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault storage sas-definition update

Updates the specified attributes associated with the given SAS definition.

az keyvault storage sas-definition update [--account-name]
[--disabled {false, true}]
[--id]
[--name]
[--sas-type {account, service}]
[--subscription]
[--tags]
[--template-uri]
[--validity-period]
[--vault-name]

Optional Parameters

--account-name

Name to identify the storage account in the vault. Required if --id is not specified.

--disabled

Add the storage account in a disabled state.

accepted values: false, true
--id

Id of the SAS definition. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the SAS definition in the vault. Required if --id is not specified.

--sas-type

The type of SAS token the SAS definition will create.

accepted values: account, service
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

--template-uri

The SAS definition token template signed with the key 00000000. In the case of an account token this is only the sas token itself, for service tokens, the full service endpoint url along with the sas token. Tokens created according to the SAS definition will have the same properties as the template.

--validity-period

The validity period of SAS tokens created according to the SAS definition in ISO-8601, such as "PT12H" for 12 hour tokens.

--vault-name

Name of the key vault. Required if --id is not specified.