Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New-AzStorageAccountSASToken doesn't work with -UseConnectedAccount #17008

Closed
SSKLCP opened this issue Feb 4, 2022 · 7 comments · Fixed by #18058
Closed

New-AzStorageAccountSASToken doesn't work with -UseConnectedAccount #17008

SSKLCP opened this issue Feb 4, 2022 · 7 comments · Fixed by #18058
Assignees
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported needs-author-feedback More information is needed from author to address the issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Storage

Comments

@SSKLCP
Copy link

SSKLCP commented Feb 4, 2022

Description

I'm trying to generate a SAS token through PowerShell but keep running into this error:

New-AzStorageAccountSASToken: Value cannot be null. (Parameter 's')

This is happening when I run the commands:

Connect-AzAccount
$cont = New-AzStorageContext -StorageAccountName $SA_name -UseConnectedAccount
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont

But if I instead run:

$cont = New-AzStorageContext -StorageAccountName $SA_name -StorageAccountKey $Key1
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont

then it works without issue.

The account I'm connecting with has owner permissions to the storage account.

Issue script & Debug output

Connect-AzAccount
$cont = New-AzStorageContext -StorageAccountName $SA_name -UseConnectedAccount
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.0
PSEdition                      Core
GitCommitId                    7.2.0
OS                             Microsoft Windows 10.0.19042
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.7.1                 Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount…}
Script     4.1.1                 Az.Storage                          {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyAction, Add-AzStorageAccountNetworkRule, Close-AzStorageFileHandle…}

Error output

Message        : Value cannot be null. (Parameter 's')
StackTrace     :    at System.Convert.FromBase64String(String s)
                    at Azure.Storage.StorageSharedKeyCredential.SetAccountKey(String accountKey)
                    at Azure.Storage.StorageSharedKeyCredential..ctor(String accountName, String accountKey)
                    at Microsoft.WindowsAzure.Commands.Storage.Common.Cmdlet.NewAzureStorageAccountSasTokenCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.ArgumentNullException
InvocationInfo : {New-AzStorageAccountSASToken}
Line           : New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont -Verbose
Position       : At line:1 char:1
                 + New-AzStorageAccountSASToken -Service blob -ResourceType object -Perm …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 14
@SSKLCP SSKLCP added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Feb 4, 2022
@ghost ghost added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Feb 4, 2022
@dingmeng-xue dingmeng-xue added CXP Attention [Deprecated] The Azure CXP Support Team is responsible for this issue. Storage labels Feb 6, 2022
@ghost
Copy link

ghost commented Feb 6, 2022

Thank you for your feedback. This has been routed to the support team for assistance.

1 similar comment
@ghost
Copy link

ghost commented Feb 6, 2022

Thank you for your feedback. This has been routed to the support team for assistance.

@blueww blueww self-assigned this Feb 7, 2022
@blueww
Copy link
Member

blueww commented Feb 7, 2022

@SSKLCP

With "-UseConnectedAccount", will create a storage context with AAD credential.
But Account sas does not support AAD credential. Only User delegation SAS support AAD credential, and it applies to Blob storage only.
See details in https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

So when create account sas, currently the storage context must be created with shared key credential.

@PramodValavala-MSFT PramodValavala-MSFT added Service Attention This issue is responsible by Azure service team. and removed CXP Attention [Deprecated] The Azure CXP Support Team is responsible for this issue. labels Feb 8, 2022
@ghost
Copy link

ghost commented Feb 8, 2022

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

Issue Details

Description

I'm trying to generate a SAS token through PowerShell but keep running into this error:

New-AzStorageAccountSASToken: Value cannot be null. (Parameter 's')

This is happening when I run the commands:

Connect-AzAccount
$cont = New-AzStorageContext -StorageAccountName $SA_name -UseConnectedAccount
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont

But if I instead run:

$cont = New-AzStorageContext -StorageAccountName $SA_name -StorageAccountKey $Key1
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont

then it works without issue.

The account I'm connecting with has owner permissions to the storage account.

Issue script & Debug output

Connect-AzAccount
$cont = New-AzStorageContext -StorageAccountName $SA_name -UseConnectedAccount
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.0
PSEdition                      Core
GitCommitId                    7.2.0
OS                             Microsoft Windows 10.0.19042
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.7.1                 Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount…}
Script     4.1.1                 Az.Storage                          {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyAction, Add-AzStorageAccountNetworkRule, Close-AzStorageFileHandle…}

Error output

Message        : Value cannot be null. (Parameter 's')
StackTrace     :    at System.Convert.FromBase64String(String s)
                    at Azure.Storage.StorageSharedKeyCredential.SetAccountKey(String accountKey)
                    at Azure.Storage.StorageSharedKeyCredential..ctor(String accountName, String accountKey)
                    at Microsoft.WindowsAzure.Commands.Storage.Common.Cmdlet.NewAzureStorageAccountSasTokenCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.ArgumentNullException
InvocationInfo : {New-AzStorageAccountSASToken}
Line           : New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont -Verbose
Position       : At line:1 char:1
                 + New-AzStorageAccountSASToken -Service blob -ResourceType object -Perm …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 14
Author: SSKLCP
Assignees: blueww
Labels:

Storage, Service Attention, bug, question, customer-reported

Milestone: -

@SSKLCP
Copy link
Author

SSKLCP commented Feb 8, 2022

@SSKLCP

With "-UseConnectedAccount", will create a storage context with AAD credential. But Account sas does not support AAD credential. Only User delegation SAS support AAD credential, and it applies to Blob storage only. See details in https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

So when create account sas, currently the storage context must be created with shared key credential.

Happy to accept that the REST API documentation supports this answer.
That said, the PowerShell documentation / error message could be updated to reflect this.

navba-MSFT added a commit to navba-MSFT/azure-powershell that referenced this issue May 6, 2022
The below information needs to be added to avoid the customer's using -UseConnectedAccount (AAD Credential) to create account SAS which would fail.

"An account SAS is secured using the storage account key. To create an account SAS, a client application must possess the account key."
@navba-MSFT
Copy link
Contributor

@SSKLCP Thanks for the feedback. We have created the above PR to enhance the documentation of the PS command to include the above information. the PR is in review phase now, If you have any further queries on this, please let us know.

@navba-MSFT navba-MSFT added the needs-author-feedback More information is needed from author to address the issue. label May 6, 2022
@SSKLCP
Copy link
Author

SSKLCP commented May 6, 2022

I'm happy :) Thank you very much

@SSKLCP SSKLCP closed this as completed May 6, 2022
wyunchi-ms pushed a commit that referenced this issue May 7, 2022
The below information needs to be added to avoid the customer's using -UseConnectedAccount (AAD Credential) to create account SAS which would fail.

"An account SAS is secured using the storage account key. To create an account SAS, a client application must possess the account key."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported needs-author-feedback More information is needed from author to address the issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Storage
Projects
None yet
5 participants