AzCopy from an onpremise PowerShell script - how to deal with SAS or secret key

TechUser2020-6505 256 Reputation points
2021-03-17T15:18:19.25+00:00

Hi,
I'm trying to use AzCopy inside a PowerShell script where I can copy files from on premise into Blob storage. The challenge I have is that the script needs to run on a scheduled task without user interaction. The Microsoft examples I've seen below rely on appending the SAS token to the Blob URL or entering the client secret at a prompt.

Is there a way to encrypt the SAS token so that the script can execute it for AzCopy, but anyone viewing the script cannot see the secret?

I want to (ideally) stop a user from browsing the script contents and being able to connect to the Blob Storage.

https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-authorize-azure-active-directory

Thanks

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,599 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,449 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sumarigo-MSFT 45,321 Reputation points Microsoft Employee
    2021-03-18T14:59:22.947+00:00

    @ Welcome to Microsoft Q&A, Thank you posting your query here!

    When you accessing https the request will anyways be encrypted..

    79321-capture.png

    The complete SAS token will be in above format. So the complete request URl will be in https:

    Azure Storage encryption helps you protect and safeguard your data by encrypting data at rest and by handling encryption and decryption. All data is encrypted using 256-bit AES encryption, one of the strongest block ciphers available.

    You can choose to have Microsoft manage encryption keys, or you can bring your own keys with customer-managed keys stored in Azure Key Vault or Key Vault Managed Hardware Security Model (HSM) (preview). For more information, see Customer-managed keys for Azure Storage encryption.

    Azure Storage encryption automatically encrypts data in all performance tiers (Standard and Premium), all deployment models (Azure Resource Manager and Classic), and all of the Azure Storage services (Blob, Queue, Table, and File).

    Shared access signature tokens with Key Vault

    Actually I am not understanding.. what script are you referring to?

    If you want restrict access to blob storage, I would recommend, please refer to this link which provides you how RBAC and built-in roles works

    Refer to this thread which will provide some idea for your scenario Restrict access to a specific container in a Azure Storage BLOB

    Additional information : If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.

    If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

    Best practices when using SAS

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    -------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. TechUser2020-6505 256 Reputation points
    2021-03-24T15:42:20.197+00:00

    Hi Sumarigo,
    Thank you for the response.

    I'm planning on writing a PowerShell script to copy data to Azure blob storage. In my organisation we have hundreds of administrators who have access to view the script contents. I want to be able to stop them from viewing the SAS key in the script file, what would you recommend for this?

    Thank you,