3

In our CI/CD pipeline im trying to automate the creation of SAS tokens for containers used by other systems. Each SAS token "points" to a Shared Access Policy.

My first thought was to add this to our PowerShell post deployment script so we can add the creation of new containers (including SAS tokens and shared access policies) to the script as we expand. Everything works and I get both he policy and the SAS token generated but I got stuck on one thing that differs from when I generate a SAS token via the Azure portal. I hope that someone can shed some light on the discrepancy.

PowerShell script (run as part of deploy pipeline in VSTS)

Select-AzureRmSubscription -SubscriptionId $useSubscription
Set-AzureRmContext -SubscriptionId $useSubscription

$accountKeys = Get-AzureRmStorageAccountKey -ResourceGroupName $useResourceGroupName -Name $storageAccountName
$storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $accountKeys[0].Value 
$expiryTime = (get-date).AddYears(1)
$permission = "rwl"

New-AzureStorageContainerStoredAccessPolicy -Context $storageContext -Container "test-container" -Policy "testPolicy" -ExpiryTime $expiryTime -Permission $permission

$sasToken = New-AzureStorageContainerSASToken  -Name "test-container" -Policy "testPolicy" -Context $storageContext
$sasToken = $sasToken.substring(1)

Write-Host "SAS token (ref shared access policy): $sasToken"

$sasToken2 = New-AzureStorageContainerSASToken -Context $storageContext -Container tibp-userprofiles -Permission rwl
Write-Host 'SAS token: ' $($sasToken2)

The output is currently:

SAS token (ref shared access policy): sv=2015-04-05&sr=c&si=tibpsaptest2&sig=rkzN3ocRZUrz5ub2IcVPKGIARvw3%2B2rh1G3yKmnSXhA%3D
SAS token:  ?sv=2015-04-05&sr=c&sig=9kMVFE7U61P1ikK27ylXqXiIkSaj71OImdM88RrtJfs%3D&se=2017-05-22T08%3A40%3A39Z&sp=rwl

My question is why is sv set to 2015-04-05 using Pwershell cmdlet and not the newest version 2016-05-31? I get the same result for sv if I generate a clean SAS token (not backed by a shared access policy).

If I generate a SAS token using the Azure Portal (using the same storage account and container) i get sv set to the newest version (2016-05-31).

The output using Azure Portal: 

?sv=2016-05-31&ss=b&srt=sco&sp=rwl&se=2017-05-22T17:36:58Z&st=2017-05-22T09:36:58Z&spr=https&sig=UTibTnwmwYl3k3iIYj63VbYItL5eV4K4t6PEZ7ihi3E%3D

The CI/CD pipline is run using VSTS and I use a standard Azure PowerShell task to run the script.

Azure PowerShell version in VSTS

Improve this question

1 Answer 1

Reset to default
3

You could use the following cmdlet to generate SAS token, the result is same with Portal. 

$now=get-date

New-AzureStorageContainerSASToken -Name <container name> -Context $storageContext -Permission rwl -StartTime $now.AddHours(-1) -ExpiryTime $now.AddMonths(1)

My test result is below

?sv=2015-04-05&sr=c&sig=tMG2TwiAGXkDqwFbj7%2BRjI52qXUKU9NDI%2BmkxMY%2BjtM%3D&st=2017-05-22T00%3A41%3A50Z&se=2017-06-22T01%3A41%3A50Z&sp=rwl

You could check they are same except API version ?sv=2015-04-05. More information about SAS please refer to this link.

Update:

I know the reason, Azure Portal uses the latest API version to generate SAS token, but your local Azure PowerShell does not use the latest version.

You could use the following cmdlet to check your Azure PowerShell version.

Get-Module -ListAvailable -Name Azure -Refresh

On the latest version(for now 4.01) use the latest API version. You could download the mis installer from the link.

PS C:\Users\v-shshui> New-AzureStorageContainerSASToken -Name vhds -Context $storageContext -Permission rwl -StartTime $now.AddHours(-1) -ExpiryTime $now.AddMonths(1)
?sv=2016-05-31&sr=c&sig=zdrwTEEmvTn6rjoJPVWOdQYzggrvygTHGoBsOBYgzuI%3D&st=2017-05-22T07%3A56%3A21Z&se=2017-06-22T08%3A56%3A21Z&sp=rwl
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I get the same result when use your script. I suggest you should change your script.
I dont see any difference in the result using your script. I have edited my question to clarify the issue. The goal is to generate a SAS token backed by a shared access policy that uses sv 2016-05-31.
@soderstromOlov Hi, I know the reason, you could check your Azure PowerShell version. When your use the latest PowerShell version(4.01), you could generate SAS token with the latest API version.
Thank you @Walter - MSFT for the feedback! Running the script locally with version 4 does indead generate the desired token. But... After a quick check during the VSTS deployment task i could see that it uses Azure PowerShell ver 3.5 hence giving me the older storage service version. Any idea how to solve this? Or do I have to run a Powershell task on a target machine instead to get the newest version of Azure PS?
@soderstromOlov No, the API version is encapsulated in PowerShell cmdlet, we could not change it. You should use the latest version.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.