Share via

Implementing an automatic SAS token refresh for an Azure Blob Storage

pmscorca 1,032 Reputation points
2024-02-19T08:32:02.94+00:00

Hi, I've created an azcopy command in order to write a txt file from an Azure vm to an Azure Blob Storage by specifying manually a SAS signature. Is it possible to manage an automatic SAS token refresh without updating the azcopy command? As an alternative way, is it possible to generate a long-life SAS token (of some years)? Other solutions?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,116 questions
0 comments
Accepted answer
  1. TP 110.6K Reputation points
    2024-02-19T09:37:48.71+00:00

    Hi,

    One option is enable System Managed Identity on the VM, and assign this Identity Storage Blob Data Contributor on your storage account. In the VM, you need to add environment variable AZCOPY_AUTO_LOGIN_TYPE=MSI so that azcopy will know to use System Managed Identity.

    Once everything is set up you won't need to deal with SAS anymore.

    Basic steps are:

    1. Navigate to your VM in portal, click on Idenity blade, enable System Managed Identity and save
    2. Navigate to your storage account, click on Access control (IAM) blade, Add role assignment for for VM's managed identity for Storage Blob Data Contributor
    3. Inside of the VM, add AZCOPY_AUTO_LOGIN_TYPE environment variable, and set it to MSI. For Windows you can do this via Advanced System Settings -- Environment Variables button.

    Authorize by using a system-wide managed identity

    https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-authorize-azure-active-directory#authorize-by-using-a-system-wide-managed-identity

    Please click Accept Answer and upvote if the above was helpful. If something is unclear or you need help with a specific step, add a comment below.

    Thanks.

    -TP

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 5,795 Reputation points Microsoft Employee
    2024-02-19T09:13:23.7133333+00:00

    Hello Welcome to Microsoft Q&A Forum, thank you for posting your query here! If I got this correctly, the intent is to renew the SAS when it comes to expiry? Please confirm if my understanding is correct. If correct, then yes, since storage doesn’t keep a track of SAS generated, there is not a direct mechanism to renew it. Alternative approach is as you suggested to either have a SAS with larger expiration period (not among best practices) or you can check for implementation key vault if feasible and manage SAS rotation via that.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.