7

When creating a SASToken via powershell it retunrs the created SAS token url from New-AzureStorageContainerSASToken comdlet.

$Context = New-AzureStorageContext -StorageAccountName $StorageAccount -StorageAccountKey $StorageAccountKey                                                        
$now = Get-Date

$sasUrl = New-AzureStorageContainerSASToken -Name mycontainer -Permission rwdl -StartTime $now.AddHours(-1) -ExpiryTime $now.AddMonths(1) -Context $context -FullUri  
echo $sasUrl

But now in case I lost it, how can I list the exiting SASTokens? You may have few on the same container.

Tried Get-AzureStorageContainer but this information is unavailable.
Played with other Get-AzureStorage* and failed to find it.
Is this operation supported via powershell?

Haim Raman
  • 11,508
  • 6
  • 44
  • 70

4 Answers4

9

It is not possible to get the list of SAS URLs because they are not stored anywhere in Azure Storage.

Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • 1
    Meaning, if I lost them, I have to recreate them all? – Haim Raman Dec 22 '15 at 11:26
  • 2
    That is correct. Please remember that SAS tokens are meant for granting temporary access to your storage. – Gaurav Mantri Dec 22 '15 at 11:28
  • Can you provide some reference for this behavior in the docs? – Haim Raman Dec 22 '15 at 11:43
  • I looked up the documentation but unfortunately I couldn't find it anywhere where it explicitly states that SAS URLs are not stored anywhere. I guess you will just have to take my word for it :). If you're interested, please read the following: https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/. HTH. – Gaurav Mantri Dec 22 '15 at 12:05
  • what happens if a token was stolen. now I can't delete it. but someone may use it. so I will have to delete the container. – Haim Raman Dec 22 '15 at 20:22
  • Deleting container is an option or you could change the account key. Please read the best practices section in the link I included. It talks about this scenario. – Gaurav Mantri Dec 23 '15 at 04:54
  • 3
    Note that you can always create a SAS token that is based on an access policy. In contrast to the SAS, the access policies are stored on the storage account and can always be modified. E.g. you could delete the access policy. This would make every SAS based on it useless. Advantage is you don't have to touch the account key. – Manu Meyer Dec 11 '19 at 10:17
  • @HaimRaman if the SAS token is stolen you can revoke them all without deleting the container using "Revoke-AzStorageAccountUserDelegationKeys -ResourceGroupName -StorageAccountName See this: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-powershell#revoke-a-user-delegation-sas However using an access policy is preferable. as per comment from Manu. – Stu Mar 08 '21 at 01:42
4

Probably a bit late.... but on this page: https://learn.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1

It says: "The SAS token generated by the storage client library is not tracked by Azure Storage in any way. You can create an unlimited number of SAS tokens on the client side."

HTH! Paul

Paul Maher
  • 41
  • 1
0

With Powershell perhaps not, but Perhaps possible with the REST API: https://learn.microsoft.com/en-us/rest/api/storagerp/storageaccounts/listaccountsas

For the POST request, some of the request body parameters are REQUIRED to be filled which will need trial and error as you may not remember for what duration the SAS was allowed for. But provided all the values at https://learn.microsoft.com/en-us/rest/api/storagerp/storageaccounts/listaccountsas#request-body are somehow documented , then it should be programmatically possible to get the SAS token itself.

Pranesh
  • 119
  • 1
  • 3
0

I think you don't understand how SAS token works: Generated SAS tokens are not stored anywhere because when you generate a SAS token, no call is made to the Azure Storage server. This is just a local calculation based on the secret key (like an asymetrical encryption with public and private key)

Matthieu Charbonnier
  • 2,794
  • 25
  • 33