Key Vault Service SAS token, container level, for Data Factory

Hi All,
I'm trying to put together a solution for reading and writing to a container using a service sas token managed by keyvault. I've been through all the setup. There are quite a few web pages about account sas which I can get working, not so many about service sas. When key vault generates the sas token for me, there is always a problem with it.
Has anyone actually got it working please?
So, I've followed the instructions here which already had container level service sas specified
To prove it works, I'm using a managed identity authed web activity in DF to get the sas token value out of key vault, so I can see the generated token. I then attach my url for the storageaccount/container to the token and try to connect using azure storage explorer.
I get Server failed to authenticate the request :-(
I assume this is user error, or there is some quirk or other that I need to do.
Any advice appreciated.
Thanks
Jim
Hi @Saurabh Sharma ,
Thanks for your response, can you confirm for me please, that this is a service sas token and has restricted access to a container only? I do get a token out but it doesn't work, but account sas does work which is my sticking point.
Thanks
Jim
@James Reynolds ok, I have used an account SAS token only. I have to check with the service sas token if that's the issue.
@James Reynolds I tried with service SAS token and I see issues while testing the connection. I am checking internally if this is supported or if I am doing something wrong. I will get back to you on this issue.
Thanks, this page
https://learn.microsoft.com/en-us/cli/azure/keyvault/storage/sas-definition?view=azure-cli-latest
Search for section "az keyvault storage sas-definition create"
The third example is for this exactly, unless I have misinterpreted
Sub-section "Add a sas-definition for a container sas-token"
$sastoken = az storage container generate-sas --account-name storageacct --account-key 00000000 -n container1 --https-only --permissions rw
$url = "https://{storage-account-name}.blob.core.windows.net/{container-name}" # The prefix of your blob url
az keyvault storage sas-definition create --vault-name vault --account-name storageacct -n rwcontaineraccess
Which leads me to think it is supported. But I don't think this is any different to the other link in the post at the start of the thread. Neither way gives me a working service SAS token.
I appreciate your time looking at this.
Thanks
Jim
@James Reynolds Thanks for sharing it. Yes, I have also used az storage container generate-sas to generate a container SAS token and faced issues like yours. I am checking internally on the same. I will keep you posted with the updates. Thanks.
Hello @James Reynolds ,
At ths time we are not getting much traction on this issue from the internal team and so I suggest
if you have a support plan you may file a support ticket, else could you please send an email
to AzCommunity@microsoft.com with the below details,
so that we can create a one-time-free support ticket for you to work closely on this matter.
Thread URL:
Subscription ID:
Subject:Attention :Himanshu / Saurabh
Please let me know once you have done the same
Thanks
Himanshu
@James Reynolds Please let me know if you need any help on creating a support ticket ?
Sign in to comment