Edit

Share via

Set-AzKeyVaultManagedStorageSasDefinition

Module:
Az.KeyVault Module

Sets a Shared Access Signature (SAS) definition with Key Vault for a given Key Vault managed Azure Storage Account.

Syntax

Default (Default) 

Set-AzKeyVaultManagedStorageSasDefinition
    [-VaultName] <String>
    [-AccountName] <String>
    [-Name] <String>
    [-TemplateUri] <String>
    [-SasType] <String>
    -ValidityPeriod <TimeSpan>
    [-Disable]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

ByInputObject 

Set-AzKeyVaultManagedStorageSasDefinition
    [-InputObject] <PSKeyVaultManagedStorageAccountIdentityItem>
    [-Name] <String>
    [-TemplateUri] <String>
    [-SasType] <String>
    -ValidityPeriod <TimeSpan>
    [-Disable]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

Sets a Shared Access Signature (SAS) definition with a given Key Vault managed Azure Storage Account. This also sets a secret which can be used to get the SAS token per this SAS definition. SAS token is generated using these parameters and the active key of the Key Vault managed Azure Storage Account.

Examples

Example 1: Set an account-type SAS definition, and obtain a current SAS token based on it

$sa = Get-AzStorageAccount -Name mysa -ResourceGroupName myrg
$kv = Get-AzKeyVault -VaultName mykv
Add-AzKeyVaultManagedStorageAccount -VaultName $kv.VaultName -AccountName $sa.StorageAccountName -AccountResourceId $sa.Id -ActiveKeyName key1 -RegenerationPeriod ([System.Timespan]::FromDays(180))
$sctx = New-AzStorageContext -StorageAccountName $sa.StorageAccountName -Protocol Https -StorageAccountKey Key1
$start = [System.DateTime]::Now.AddDays(-1)
$end = [System.DateTime]::Now.AddMonths(1)
$at = "sv=2018-03-28&ss=bfqt&srt=sco&sp=rw&spr=https"
$sas = Set-AzKeyVaultManagedStorageSasDefinition -AccountName $sa.StorageAccountName -VaultName $kv.VaultName -Name accountsas -TemplateUri $at -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(30))
Get-AzKeyVaultSecret -VaultName $kv.VaultName -Name $sas.Sid.Substring($sas.Sid.LastIndexOf('/')+1)

Sets an account SAS definition 'accountsas' on a KeyVault-managed storage account 'mysa' in vault 'mykv'. Specifically, the sequence above performs the following:

  • gets a (pre-existing) storage account
  • gets a (pre-existing) key vault
  • adds a KeyVault-managed storage account to the vault, setting Key1 as the active key, and with a regeneration period of 180 days
  • sets a storage context for the specified storage account, with Key1
  • creates an account SAS token for services Blob, File, Table and Queue, for resource types Service, Container and Object, with all permissions, over https and with the specified start and end dates
  • sets a KeyVault-managed storage SAS definition in the vault, with the template uri as the SAS token created above, of SAS type 'account' and valid for 30 days
  • retrieves the actual access token from the KeyVault secret corresponding to the SAS definition

Parameters

-AccountName

Key Vault managed storage account name. Cmdlet constructs the FQDN of a managed storage account name from vault name, currently selected environment and manged storage account name.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:StorageAccountName

Parameter sets

Default
Position:1
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Parameter properties

Type:IAzureContextContainer
Default value:None
Supports wildcards:False
DontShow:False
Aliases:AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Disable

Disables the use of sas definition for generation of sas token.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-InputObject

ManagedStorageAccount object.

Parameter properties

Type:PSKeyVaultManagedStorageAccountIdentityItem
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ByInputObject
Position:0
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-Name

Storage sas definition name. Cmdlet constructs the FQDN of a storage sas definition from vault name, currently selected environment, storage account name and sas definition name.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:SasDefinitionName

Parameter sets

(All)
Position:2
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SasType

Storage SAS type.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:4
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Parameter properties

Type:Hashtable
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Tags

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-TemplateUri

Storage SAS definition template uri.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:3
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ValidityPeriod

Validity period that will get used to set the expiry time of sas token from the time it gets generated

Parameter properties

Type:

Nullable<T>[TimeSpan]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-VaultName

Vault name. Cmdlet constructs the FQDN of a vault based on the name and currently selected environment.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

Default
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

PSKeyVaultManagedStorageAccountIdentityItem

Outputs

PSKeyVaultManagedStorageSasDefinition