-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New-AzStorageAccountSASToken doesn't work with -UseConnectedAccount #17008
Comments
Thank you for your feedback. This has been routed to the support team for assistance. |
1 similar comment
Thank you for your feedback. This has been routed to the support team for assistance. |
With "-UseConnectedAccount", will create a storage context with AAD credential. So when create account sas, currently the storage context must be created with shared key credential. |
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage. Issue DetailsDescriptionI'm trying to generate a SAS token through PowerShell but keep running into this error:
This is happening when I run the commands:
But if I instead run:
then it works without issue. The account I'm connecting with has owner permissions to the storage account. Issue script & Debug outputConnect-AzAccount
$cont = New-AzStorageContext -StorageAccountName $SA_name -UseConnectedAccount
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont Environment dataName Value
---- -----
PSVersion 7.2.0
PSEdition Core
GitCommitId 7.2.0
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0 Module versionsModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.7.1 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount…}
Script 4.1.1 Az.Storage {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyAction, Add-AzStorageAccountNetworkRule, Close-AzStorageFileHandle…} Error outputMessage : Value cannot be null. (Parameter 's')
StackTrace : at System.Convert.FromBase64String(String s)
at Azure.Storage.StorageSharedKeyCredential.SetAccountKey(String accountKey)
at Azure.Storage.StorageSharedKeyCredential..ctor(String accountName, String accountKey)
at Microsoft.WindowsAzure.Commands.Storage.Common.Cmdlet.NewAzureStorageAccountSasTokenCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : System.ArgumentNullException
InvocationInfo : {New-AzStorageAccountSASToken}
Line : New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont -Verbose
Position : At line:1 char:1
+ New-AzStorageAccountSASToken -Service blob -ResourceType object -Perm …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 14
|
Happy to accept that the REST API documentation supports this answer. |
The below information needs to be added to avoid the customer's using -UseConnectedAccount (AAD Credential) to create account SAS which would fail. "An account SAS is secured using the storage account key. To create an account SAS, a client application must possess the account key."
@SSKLCP Thanks for the feedback. We have created the above PR to enhance the documentation of the PS command to include the above information. the PR is in review phase now, If you have any further queries on this, please let us know. |
I'm happy :) Thank you very much |
The below information needs to be added to avoid the customer's using -UseConnectedAccount (AAD Credential) to create account SAS which would fail. "An account SAS is secured using the storage account key. To create an account SAS, a client application must possess the account key."
Description
I'm trying to generate a SAS token through PowerShell but keep running into this error:
This is happening when I run the commands:
Connect-AzAccount
$cont = New-AzStorageContext -StorageAccountName $SA_name -UseConnectedAccount
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont
But if I instead run:
$cont = New-AzStorageContext -StorageAccountName $SA_name -StorageAccountKey $Key1
New-AzStorageAccountSASToken -Service blob -ResourceType object -Permission racwdlup -ExpiryTime (get-date).addhours(1) -Context $cont
then it works without issue.
The account I'm connecting with has owner permissions to the storage account.
Issue script & Debug output
Environment data
Module versions
Error output
The text was updated successfully, but these errors were encountered: