User delegated SAS token generated by Powershell command and Azure Portal different with SAS token created by Azure CLI

Question

A User delegated(AD) SAS token created for storage account created by Azure portal or Powershell is different with a SAS token created by Azure CLI.

Example:
Azure CLI:
az storage container generate-sas
--account-name
--name
--permissions acdlrw
--expiry
--auth-mode login
--as-user

token generated:
se=2019-07-27&sp=r&sv=2018-11-09&sr=c&skoid=&sktid=&skt=2019-07-26T18%3A01%3A22Z&ske=2019-07-27T00%3A00%3A00Z&sks=b&skv=2018-11-09&sig=

Azure portal /Powershell

New-AzStorageContainerSASToken -Context $ctx -Name <container>
-Permission racwdl `
-ExpiryTime

token generated:
?sv=2018-11-09&sr=c&sig=&skoid=&sktid=&skt=2019-08-05T22%3A24%3A36Z&ske=2019-08-07T07%3A
00%3A00Z&sks=b&skv=2018-11-09&se=2019-08-07T07%3A00%3A00Z&sp=rwdl

This is creating issue while using azcopy utility for copying from blob storage account as shown below in snapshot.

Answer 1

@Chetan Prakash Saraswat
The token that you say is working is an account SAS, with many more permissions, assuming this was created via the portal. Are you generating the token with az storage blob-generate sas or with az storage container generate-sas?

I believe the account SAS works because you have permissions for the whole account. If the name of your container is container then you should include a "/" after it in your URL. See AzCopy documentation for more info.

azcopy copy 'https://account.blob.core.windows.net/container/?se=2020-09-30&sp=rl&sv=2018-11-09&sr=c&sig=HToMO9kpJ8odcCtIU4JGflCcmUJPiThcM0KMrpjed0A%3D' --recursive 'local directory' --include-after '2020-05-30T00:00:00Z'  

Answer 2

@Chetan Prakash Saraswat
There is no difference between the two besides the order of parameters. Also the output of the PowerShell includes "?" before the SAS token, but you should be adding this on both. Are you seeing some other difference between the tokens that are generated?

Looking at your output here it appears you are missing list permission for the container. In this case you should have "sp=rl". Please see Permissions for a container for more details.

Hope this helps. If you have further questions or issues please let us know.

---------------

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 3

@deherman-MSFT Apolgies for responding late. Didn't received notification initially when the answer was provided.
My issue is using the generated SAS tokens with azcopy executable. The SAS token generated by powershell or using portal results az copy to run perfectly with the below token.

ex: ?sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-09-22T14:12:47Z&st=2020-09-22T06:12:47Z&spr=https&sig=%2BFZfSSw4asfgrrgrgrgrwewewKTbc52eNxPxdbS5b2c%3%asdsaasas

If i am using az copy and the sas token generated by az storage blob generate-sas is not working properly.

azcopy copy 'https://account.blob.core.windows.net/container?se=2020-09-30&sp=rl&sv=2018-11-09&sr=c&sig=HToMO9kpJ8odcCtIU4JGflCcmUJPiThcM0KMrpjed0A%3D' --recursive 'local directory' --include-after '2020-05-30T00:00:00Z'

Results in same error as above.

That being asked do i have to use a blob directory post the container name to make azcopy run via the flat namespace of my storage account?