Thanks for the information, but I'm still not solve my problem.
Probably it's something simple!!
Below the steps that I did, till I failed.
1. Keyvault and storage account should be created
2. Give Key Vault access to your storage account
az role assignment create --role "Storage Account Key Operator Service Role" --assignee 'https://vault.azure.net' --scope "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"
via this url: https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#give-key-vault-access-to-your-storage-account
3. Give your user account permission to managed storage accounts
az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --storage-permissions get list delete set update regeneratekey getsas listsas deletesas setsas recover backup restore purge
via this url: https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#give-your-user-account-permission-to-managed-storage-accounts
4. Create a Key Vault Managed storage account
az keyvault storage add --vault-name <YourKeyVaultName> -n <YourStorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period P90D --resource-id "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"
via this url: https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#create-a-key-vault-managed-storage-account
Instead of 90 days I did it for 1 day.
5. Add a sas-definition for a container sas-token
$sastoken = az storage container generate-sas --account-name storageacct --account-key 00000000 -n container1 --https-only --permissions rw
$url = "https://{storage-account-name}.blob.core.windows.net/{container-name}" # The prefix of your blob url
az keyvault storage sas-definition create --vault-name vault --account-name storageacct -n rwcontaineraccess --validity-period P2D --sas-type service --template-uri $url?$sastoken
via this url: https://learn.microsoft.com/en-us/cli/azure/keyvault/storage/sas-definition?view=azure-cli-latest#az_keyvault_storage_sas_definition_create-examples
I change the account-key to the current value of key1 from the storage account, I guess this is correct!?
6. Verify the shared access signature definition
az keyvault secret list --vault-name <YourKeyVaultName>
via this url: https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#verify-the-shared-access-signature-definition
Here it failed. I always get back an empty array from secret list command. Secret show command also return nothing.
What do I wrong?