Share via

Generating a SAS token from Azure and generating a token using AZ cli

MrFlinstone 651 Reputation points
Feb 5, 2023, 11:08 PM

I am finding that when a SAS token is generated from the azure portal, it doesnt work however running the command below using the AZ cli then it works.

az storage account generate-sas



I would like to understand what the difference is and why a SAS token generated from the portal with all the options ticked doesn't work.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,397 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 47,501 Reputation points Microsoft Employee
    Feb 6, 2023, 11:28 AM

    @MrFlinstone Welcome to Microsoft Q&A Forum, Thank you for posting your query!
    Did you get any error message when you are using Portal generated SAS token? If so can you please share the screenshot?
    The SAS token might not currently be valid. The SAS token might be expired or the storage account keys might have changed since the SAS token was created. Verify that the SAS token is valid by attempting to use the SAS token to authenticate for access to the storage account container.

    • The SAS token might not have sufficient Allowed Resource Types. Verify that the SAS token has been given permissions to Service, Container, and Object under Allowed Resource Types (srt=sco in the SAS token).
    • The SAS token might not have sufficient permissions. For export pipelines, the required SAS token permissions are Read, Write, List, and Add. For import pipelines, the required SAS token permissions are Read, Delete, and List. (The Delete permission is required only if the import pipeline has the DeleteSourceBlobOnSuccess option enabled.)
    • The SAS token might not be configured to work with HTTPS only. Verify that the SAS token is configured to work with HTTPS only (spr=https in the SAS token).

    It is recommended to check these possible reasons and verify that the SAS token is valid and has the necessary permissions and configurations to work properly. Additionally, I would recommended to use Azure Storage explorer for SAS token generation.

    While generating the SAS In CLI by default you provided all required default parameter , then only it provided the SAS. But in port we have different options to generate the SAS token

    az storage account generate-sas --expiry
                                    --permissions
                                    --resource-types
                                    --services
                                    [--account-key]
                                    [--account-name]
                                    [--blob-endpoint]
                                    [--connection-string]
                                    [--encryption-scope]
                                    [--https-only]
                                    [--ids]
                                    [--ip]
                                    [--start]
                                    [--subscription]
    
    

    In this article, you'll learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Azure AD credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account.

    User's image

    Please let us know if you have any further queries. I would like to work closer on this issue  


    Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.