Upload and Download Files using a SAS Token
A SAS token can be used to grant temporary access to your storage without exposing your storage key. By leveraging a SAS token we can grant objects temporary access to our container with the defined permissions and a defined time. If you're unfamiliar or want the details of how a SAS token works then head over to /en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1.
Objective:
Today we will simplify the process by demonstrating how easy it is to create and use a SAS Token and prove it works by uploading and downloading files.
Implementation:
Step 1: The first step if you haven't' already done so is to create a resource group and storage account.
$ResourceGroupName = 'LabRG1'
$StorageAccountName = 'labsa1'
$ContainerName = 'labcn1'
#create new resource group and storage account
New-AzureRmResourceGroup -Name $ResourceGroupName -Location $location
New-AzureRmStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -Type Standard_LRS -Location "East US"
Set-AzureRmCurrentStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
Step 2: Next, create a new storage container.
# create a container
New-AzureStorageContainer -Name $ContainerName -Permission Off
Note: Set the container Permission to Off so that anonymous access is turned off. Access will be granted with the SAS token created in the next step.
Step 3: Create the SASToken and specify the permissions and expiration time for the token. The ExpiryTime is the amount of time before the SASToken expires. You should set this value to a time that will allow you to complete the desired operation.
#new SASToken
$sasToken = New-AzureStorageContainerSASToken -container $ContainerName -Permission rwdl -ExpiryTime (get-date).AddHours(1)
#new storage content using the SAS token we just create
$StorageContext = New-AzureStorageContext $StorageAccountName -SasToken $sasToken
We now have everything setup to securely upload and download files. The key is the use the $StorageAccount object that we just created. Let's verify in our subscription that our container is created.
Step 4: Let's upload a file to our container as a blob.
#upload a file
Set-AzureStorageBlobContent -File $file -Container $containerName -Context $StorageContext -Blob $blob -Force -WarningAction SilentlyContinue
Now let's verify the file was uploaded to our container.
Step 5: Now let's download the file to our Azure Iaas VM.
#download a file
Get-AzureStorageBlobContent -Container $ContainerName -Blob 'testfile.txt' -Destination 'C:\test\testfile.txt' -Context $storageAccountContext -Force
The testfile.txt was downloaded to our local IaaS VM. See how easy it is to upload and download a file using a SASToken.
PowerShell
$ResourceGroupName = 'LabRG1'
$StorageAccountName = 'labsa1'
$ContainerName = 'labcn1'
New-AzureRmResourceGroup -Name $ResourceGroupName -Location $location
New-AzureRmStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -Type Standard_LRS -Location "East US"
Set-AzureRmCurrentStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
# create a container and SASToken
New-AzureStorageContainer -Name $ContainerName -Permission Off
$sasToken = New-AzureStorageContainerSASToken -container $ContainerName -Permission rwdl -ExpiryTime (get-date).AddHours(1)
$StorageContext = New-AzureStorageContext
$StorageAccountName -SasToken $sasToken
#upload a file
Set-AzureStorageBlobContent -File $file -Container $containerName -Context $StorageContext -Blob $blob -Force -WarningAction SilentlyContinue
#download a file
Get-AzureStorageBlobContent -Container $ContainerName -Blob 'testfile.txt' -Destination 'C:\test\testfile.txt' -Context $storageAccountContext -Force