Generating SAS tokens for files inside my blob storage containers via key vault

Jean-Pierre Broeders 1 Reputation point
2020-10-29T13:56:08.48+00:00

Hi,

I have a Microservice which is the owner of a specific blob storage.
Because I don't want to store any storage keys in configuration files of the microservice, I would like to use Key Vault to generate SAS Tokens for me.
Key Vault then will re-generate my rotation keys automatically.

Now I would like to know if it's possible to let key vault generate a sas token for a specific file in my blob storage?
I don't want a sas token for a whole container, just one file.

Thanks!

Greets
JP

[UPDATE]
Currently almost everything works fine. Our keyvault is the "owner" of the blob storage and able to give back a sas token to our microservice. The microservice is able to upload new documents to the blob storage.
What currently is not working is downloading the documents. Our microservice needs to return back some url's (including sastokens, unique per file), so that our users can download the files which are in our blobs. The sastokens should be generated with only read permission and should be only valid for 1 specific blob.

When we try to generate a sastoken for a specific file via the blobsasbuilder and our existing blobclient created via keyvaults sastoken, we are getting errors that the storage shared key credentials is null. The shared key credential, is required to generate a sas token for a specific blob.

How can we get a sastoken for a specific blob in our case? And how should we create the shared key credential, because we need it!?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,135 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,449 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 33,701 Reputation points Microsoft Employee
    2020-10-29T18:57:53.55+00:00

    @Jean-Pierre Broeders

    Yes, you can use Key Vault to generate shared access signature tokens. The example given here uses an account SAS. However, you will want to create a service SAS. The second example on this page shows you how to create a sas-definition for a blob sas-token.

    Please give this a try and let us know if you have any issues.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Jean-Pierre Broeders 1 Reputation point
    2020-11-04T12:32:56.86+00:00

    Thanks for the information, but I'm still not solve my problem.
    Probably it's something simple!!

    Below the steps that I did, till I failed.

    1. Keyvault and storage account should be created

    2. Give Key Vault access to your storage account 

       az role assignment create --role "Storage Account Key Operator Service Role" --assignee 'https://vault.azure.net' --scope "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"

    via this url: https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#give-key-vault-access-to-your-storage-account

    3. Give your user account permission to managed storage accounts 

       az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --storage-permissions get list delete set update regeneratekey getsas listsas deletesas setsas recover backup restore purge

    via this url: https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#give-your-user-account-permission-to-managed-storage-accounts

    4. Create a Key Vault Managed storage account 

       az keyvault storage add --vault-name <YourKeyVaultName> -n <YourStorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period P90D --resource-id "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"

    via this url: https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#create-a-key-vault-managed-storage-account

    Instead of 90 days I did it for 1 day.

    5. Add a sas-definition for a container sas-token 

       $sastoken = az storage container generate-sas --account-name storageacct --account-key 00000000 -n container1 --https-only --permissions rw  
   $url = "https://{storage-account-name}.blob.core.windows.net/{container-name}"  # The prefix of your blob url  
   az keyvault storage sas-definition create --vault-name vault --account-name storageacct -n rwcontaineraccess --validity-period P2D --sas-type service --template-uri $url?$sastoken

    via this url: https://learn.microsoft.com/en-us/cli/azure/keyvault/storage/sas-definition?view=azure-cli-latest#az_keyvault_storage_sas_definition_create-examples

    I change the account-key to the current value of key1 from the storage account, I guess this is correct!?

    6. Verify the shared access signature definition 

       az keyvault secret list --vault-name <YourKeyVaultName>

    via this url: https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#verify-the-shared-access-signature-definition

    Here it failed. I always get back an empty array from secret list command. Secret show command also return nothing.

    What do I wrong?