Sample of using A user delegation SAS for blob with the Azure CLI and copy the blob file via azcopy with the SAS token
MY_RG=11-11RG SUB_ID=<SUBID> MY_SCOPES="/subscriptions/$SUB_ID/resourceGroups/$MY_RG/providers/Microsoft.Storage/storageAccounts/m14storage" RG_ID=$(az group create --name $MY_RG --location southeastasia --query "id" --output tsv) SERVICE_PRINCIPAL_NAME=Exzilla-sp-14032022 PASSWORD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --role "Storage Blob Data Contributor" --scopes $MY_SCOPES --query "password" --output tsv) USER_NAME=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query "[].appId" --output tsv) az login --service-principal -u $USER_NAME -p $PASSWORD --tenant <mytenant>.onmicrosoft.com END=$(date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ') SAS4BLOB=$(az storage blob generate-sas \ --account-name m14storage \ --container-name data0314 \ --name "kblob-file-001.txt" \ --permissions acdrw \ --expiry $END \ --auth-mode login \ --as-user \ --full-uri ) azcopy copy $SAS4BLOB .
See Also:
- https://docs.microsoft.com/en-us/cli/azure/storage/blob?view=azure-cli-latest#az-storage-blob-generate-sas
- https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
- https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli
- https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-login
Questions:
- SP’s Password protection ?