Sample of using A user delegation SAS for blob with the Azure CLI and copy the blob file via azcopy with the SAS token
MY_RG=11-11RG
SUB_ID=<SUBID>
MY_SCOPES="/subscriptions/$SUB_ID/resourceGroups/$MY_RG/providers/Microsoft.Storage/storageAccounts/m14storage"
RG_ID=$(az group create --name $MY_RG --location southeastasia --query "id" --output tsv)
SERVICE_PRINCIPAL_NAME=Exzilla-sp-14032022
PASSWORD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --role "Storage Blob Data Contributor" --scopes $MY_SCOPES --query "password" --output tsv)
USER_NAME=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query "[].appId" --output tsv)
az login --service-principal -u $USER_NAME -p $PASSWORD --tenant <mytenant>.onmicrosoft.com
END=$(date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ')
SAS4BLOB=$(az storage blob generate-sas \
--account-name m14storage \
--container-name data0314 \
--name "kblob-file-001.txt" \
--permissions acdrw \
--expiry $END \
--auth-mode login \
--as-user \
--full-uri )
azcopy copy $SAS4BLOB .
See Also:
- https://docs.microsoft.com/en-us/cli/azure/storage/blob?view=azure-cli-latest#az-storage-blob-generate-sas
- https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
- https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli
- https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-login
Questions:
- SP’s Password protection ?