New-AzStorageAccountSASToken
Creates an account-level SAS token.
Syntax
New-AzStorageAccountSASToken
-Service <SharedAccessAccountServices>
-ResourceType <SharedAccessAccountResourceTypes>
[-Permission <String>]
[-Protocol <SharedAccessProtocol>]
[-IPAddressOrRange <String>]
[-StartTime <DateTime>]
[-ExpiryTime <DateTime>]
[-EncryptionScope <String>]
[-Context <IStorageContext>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
The New-AzStorageAccountSASToken cmdlet creates an account-level shared access signature (SAS) token for an Azure Storage account. You can use the SAS token to delegate permissions for multiple services, or to delegate permissions for services not available with an object-level SAS token. An account SAS is secured using the storage account key. To create an account SAS, a client application must possess the account key.
Examples
Example 1: Create an account-level SAS token with full permission
New-AzStorageAccountSASToken -Service Blob,File,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup"This command creates an account-level SAS token with full permission.
Example 2: Create an account-level SAS token for a range of IP addresses and EncryptionScope
New-AzStorageAccountSASToken -Service Blob,File,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup" -Protocol HttpsOnly -IPAddressOrRange 168.1.5.60-168.1.5.70 -EncryptionScope scopenameThis command creates an account-level SAS token for HTTPS-only requests from the specified range of IP addresses, with a specific EncryptionScope.
Example 3: Create an account-level SAS token valid for 24 hours
New-AzStorageAccountSASToken -Service Blob -ResourceType Service,Container,Object -Permission "rl" -ExpiryTime (Get-Date).AddDays(1)This command creates an read-only account-level SAS token that is valid for 24 hours.
Parameters
-Context
Specifies the Azure storage context. You can use the New-AzStorageContext cmdlet to get an AzureStorageContext object.
| Type: | IStorageContext |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
| Type: | IAzureContextContainer |
| Aliases: | AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EncryptionScope
Encryption scope to use when sending requests authorized with this SAS URI.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ExpiryTime
Specifies the time at which the shared access signature becomes invalid.
| Type: | Nullable<T>[DateTime] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IPAddressOrRange
Specifies the IP address or range of IP addresses from which to accept requests, such as 168.1.5.65 or 168.1.5.60-168.1.5.70. The range is inclusive.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Permission
Specifies the permissions for Storage account.
Permissions are valid only if they match the specified resource type.
It is important to note that this is a string, like rwd (for Read, Write and Delete).
For more information about acceptable permission values, see Constructing an Account SAS http://go.microsoft.com/fwlink/?LinkId=799514
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Protocol
Specifies the protocol permitted for a request made with the account SAS. The acceptable values for this parameter are:
- HttpsOnly
- HttpsOrHttp The default value is HttpsOrHttp.
| Type: | Nullable<T>[SharedAccessProtocol] |
| Accepted values: | HttpsOnly, HttpsOrHttp |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResourceType
Specifies the resource types that are available with the SAS token. The acceptable values for this parameter are:
- None
- Service
- Container
- Object
| Type: | SharedAccessAccountResourceTypes |
| Accepted values: | None, Service, Container, Object |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Service
Specifies the service. The acceptable values for this parameter are:
- None
- Blob
- File
- Queue
- Table
| Type: | SharedAccessAccountServices |
| Accepted values: | None, Blob, File, Queue, Table |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-StartTime
Specifies the time, as a DateTime object, at which the SAS becomes valid. To get a DateTime object, use the Get-Date cmdlet.
| Type: | Nullable<T>[DateTime] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Outputs
Related Links
Azure PowerShell
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for