0

I have the script to list the container files using the SAS token, But in our organization, they have stored this SAS token in the Azure vault and shared the read access with us. We are not able to view the SAS token from the vault instead we can use the vault secret name.

Please help to list the container files using Azure vault Secrets.

 $ContainerSAS = "sas*******"
 $StorageAccountName = "trialstorageaccount3"
 $ContainerName = "trialcontainer1"
 $Blob1Name = "AdventureWorksLT2019.bak"
 $TargetFolderPath = "D:\Anand\Downloads\HTC\DATA\AzureBlob\"
    
 $context = New-AzureStorageContext -StorageAccountName $StorageAccountName -SASToken $ContainerSAS
    
 $blobs = Get-AzureStorageBlob -Container $ContainerName -Context $context
    
 foreach($blob in $blobs) {
     Write-Host $blob.Name
     # New-Item -ItemType Directory -Force -Path $destination_path
     # Get-AzureStorageBlobContent -Container $ContainerName -Blob $blob.Name -Destination $TargetFolderPath -Context $context
 }
VenkateshDodda
  • 4,723
  • 1
  • 3
  • 12
Anand
  • 3
  • 3

2 Answers2

0

You can use the Get-AzKeyVaultSecret to get the access token from the keyVault secret with respective SAS Definition.

To retrieve the specific SAS Definition, you have to use the below PowerShell Command


# Take a substring of vault secret from the secret identifier 
# https://<keyvaultName>.vault.azure.net/secrets/<vault name>/<vault secret>

$sas = Set-AzKeyVaultManagedStorageSasDefinition -AccountName <StorageAccount Name> -VaultName <vault Name> -Name accountsas -TemplateUri <Template Uri> -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(30))

Get-AzKeyVaultSecret -VaultName <Keyvault Name> -Name $sas.Sid.Substring($sas.Sid.LastIndexOf('/')+1)

After retrieving the SAS Definition try to list the container files.

Refer here for more information.

Delliganesh Sevanesan
  • 4,146
  • 1
  • 5
  • 15
  • Thanks for the response, where can I get the Template URL? – Anand Jun 28 '22 at 14:55
  • you can use **New-AzStorageAccountSasToken** to get the Template uri. Refer [here](https://github.com/Azure/azure-powershell/blob/main/src/KeyVault/KeyVault/help/Set-AzKeyVaultManagedStorageSasDefinition.md#example-1-set-an-account-type-sas-definition-and-obtain-a-current-sas-token-based-on-it) – Delliganesh Sevanesan Jun 28 '22 at 16:12
0

You can use the PowerShell script below to list the blobs inside the container. In the script below Storage context will be created using the secret value that is stored in the keyvault.

$ContainerName="<containerName>"
$StorageAccountName = "<storageAccountName>"
$secretName="<KeyVaultSecretnName>"
$KeyvaultName="<KeyVaultName>"

$secret = Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name $secretName -AsPlainText #Pull the secret value from keyvault and Stored in secret variable as plaintext format

$context= New-AzStorageContext -StorageAccountName $StorageAccountName -SasToken $secret

Get-AzStorageBlob -Container $ContainerName -Context $context | select -Property Name,ContentType

I have tested the above PowerShell Script and it is working from our end . I would suggest you to check the same from your end as well.

VenkateshDodda
  • 4,723
  • 1
  • 3
  • 12
  • Thanks for the response, I'm getting the below error while trying to execute the scripts. Get-AzKeyVaultSecret : The term 'Get-AzKeyVaultSecret' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. – Anand Jun 28 '22 at 14:50
  • `Get-AzKeyVaultSecret` cmdlet is part of `Az.KeyVault` module can check whether you have installed Az.keyvault module in your local or not? If you have installed Az.keyVault module in your local. trying import the module using cmdlet `import-module az.keyvault -force` before running the script – VenkateshDodda Jun 28 '22 at 15:05