New-AzStorageContainerSasToken won't work with New-AzStorageContext -UseConnectedAuth

[JustinGrote]

Description

This example doesn't work: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-powershell.

-UseConnectedAccount does fetch an oauth token, but New-AzStorage*SasToken commands fail with Cannot create Shared Access Signature unless Account Key credentials are used.

Steps to reproduce

Tested with a subscription owner (full permissions)

Issue

$context = New-AzStorageContext -StorageAccountName $StorageAccountName -UseConnectedAccount

#This will be blank
$context.storageaccount.credentials.ExportBase64EncodedKey()
#Will be true
$context.storageaccount.credentials.IsToken

New-AzStorageContainerSasToken -Context $context -Container $container -Permission r

Cannot create Shared Access Signature unless Account Key credentials are used.
At line:3 char:1
+ New-AzStorageContainerSasToken -Context $context -Container $containe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzStorageContainerSASToken], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.NewAzureStorageContainerSasTokenCommand

Workarounds

1. Get storage account and derive context from that. Requires Contribute rights to the management of the storage account in order to run Get-AzStorageAccount (not ideal)

$storageAccount = Get-AzStorageAccount -Name $storageAccountName -ResourceGroupName $resourcegroupname
$context = $storageAccount.context
#This will actually show a key available
$context.storageaccount.credentials.ExportBase64EncodedKey()
#Will be true since it fetched an access key with Get-AzStorageAccount
$context.storageaccount.credentials.issharedkey

New-AzStorageContainerSasToken -Context $context -Container $container -Permission r

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19008.1
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19008.1
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

Name          Version
----          -------
Az.Accounts   1.6.3  
Az.Automation 1.3.4
Az.Resources  1.7.0
Az.Storage    1.8.0

Also reproduced on powershell core and Azure Cloud Shell

Debug output

$context = New-AzStorageContext -StorageAccountName $StorageAccountName -UseConnectedAccount
DEBUG: 6:04:51 PM - NewAzureStorageContext begin processing with ParameterSet 'OAuthAccount'.
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '46a492ab-992f-49e9-a3d4-32120e848c35', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://storage.azure.com', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using context with Authority 'https://login.microsoftonline.com/46a492ab-992f-49e9-a3d4-32120e848c35/', CorrelationId: '00000000-0000-0000-0000-000000000000', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using AdalConfiguration with Domain: '46a492ab-992f-49e9-a3d4-32120e848c35', AdEndpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirectUri: urn:ietf:wg:oauth:2.0:oob
DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.0703630Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.0706791Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.0714262Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: === Token Acquisition started: 
        CacheType: null
        Authentication Target: User
        , Authority Host: login.microsoftonline.com

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.0716497Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: === Token Acquisition started:
        Authority: https://login.microsoftonline.com/46a492ab-992f-49e9-a3d4-32120e848c35/
        Resource: https://storage.azure.com
        ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
        CacheType: null
        Authentication Target: User

DEBUG: [ADAL]: Verbose: 2019-10-30T01:04:51.5059265Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Verbose: 2019-10-30T01:04:51.5060693Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5091087Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Deserialized 8 items to token cache.

DEBUG: [ADAL]: Verbose: 2019-10-30T01:04:51.5139173Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Verbose: 2019-10-30T01:04:51.5140311Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5173095Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5174001Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5190203Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: 51.6141169316667 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5190886Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: 51.6141169316667 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5191453Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5191803Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5220298Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 10/30/2019 1:56:28 AM +00:00

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5221453Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 10/30/2019 1:56:28 AM +00:00Access Token Hash: T+2dWRFJaKyeHp6ojkc82lA098NQs1Py/rhQbupFwR0=
         User id: 2325542a-426b-4a67-a949-4baa3f28b69c

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '10/30/2019 01:56:28 +00:00', MultipleResource? 'True', Tenant: '46a492ab-992f-49e9-a3d4-32120e848c35', UserId: 'jgrote@allieddigital.net'DEBUG: [Common.Authentication]: User info for token DisplayId: 'jgrote@allieddigital.net', Name:  , IdProvider: 'https://sts.windows.net/2f46c040-48e3-4eb8-8fbf-418417f64401/', Uid: '2325542a-426b-4a67-a949-4baa3f28b69c'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '10/30/2019 01:56:28 +00:00' Comparing to '10/30/2019 01:04:51 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:51:36.8413749'
DEBUG: 10/29/2019 6:04:51 PM: token:eyJ0eXA<truncated>

Error output

New-AzStorageContainerSasToken -Context $context -Container $container -Permission r

Cannot create Shared Access Signature unless Account Key credentials are used.
At line:3 char:1
+ New-AzStorageContainerSasToken -Context $context -Container $containe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzStorageContainerSASToken], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.NewAzureStorageContainerSasTokenCommand

[blueww]

@JustinGrote
Please note, the feature is not GA, so only available in preview module of Az.Storage.
In https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-powershell, it says you need install Az.storage 1.3.1-preview in Step #5, and need to import it after step #6

But you use Az.Storage 1.8.0, which is stable release, and not support this feature.
You can install the latest preview module 1.8.2-preview to use it.

Install-Module Az.Storage `
    –Repository PSGallery `
    -RequiredVersion 1.8.2-preview `
    –AllowPrerelease `
    –AllowClobber `
    –Force

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage

[JustinGrote]

I just tested and this did work with preview. When I tried with preview it was the 4.x module. This can be closed.

…

On Tue, Oct 29, 2019 at 7:11 PM Wei Wei ***@***.***> wrote: @JustinGrote <https://github.com/JustinGrote> Please note, the feature is not GA, so only available in preview module of Az.Storage. In https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-powershell, it says you need install Az.storage 1.3.1-preview in Step #5 <#5>, and need to import it after step #6 <#6> But you use Az.Storage 1.8.0, which is stable release, and not support this feature. You can install the latest preview module 1.8.2-preview to use it. Install-Module Az.Storage ` –Repository PSGallery ` -RequiredVersion 1.8.2-preview ` –AllowPrerelease ` –AllowClobber ` –Force — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10423?email_source=notifications&email_token=ADUNKURRP3MT6YWISO7DLQTQRDUL5A5CNFSM4JGSAE4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECSVR5I#issuecomment-547707125>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADUNKUQLNHVQKBB4NXFNKM3QRDUL5ANCNFSM4JGSAE4A> .

[vnextcoder]

it appears that the issue is again back with Az.Storage Version 2.3 . I have just experienced the same as per the @JustinGrote

get-module -name Az.Storage

ModuleType Version Name ExportedCommands

---

Script 2.3.0 Az.Storage {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolic...

get-module -name Az.Accounts

ModuleType Version Name ExportedCommands

---

Script 1.9.1 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount...

$ctx = New-AzStorageContext -StorageAccountName secretstore -UseConnectedAccount
New-AzStorageContainerSASToken -Context $ctx `

-Name appdata  `
-Permission racwdl `
-ExpiryTime 22-07-2020

New-AzStorageContainerSASToken : This request is not authorized to perform this operation using this permission. HTTP Status Code:
403 - HTTP Error Message: This request is not authorized to perform this operation using this permission.
ErrorCode: AuthorizationPermissionMismatch
ErrorMessage: This request is not authorized to perform this operation using this permission.
RequestId:f725bc07-701e-0002-08dd-5d3828000000
Time:2020-07-19T15:01:46.8890151Z
At line:1 char:1

• New-AzStorageContainerSASToken -Context $ctx `
  • FullyQualifiedErrorId : StorageException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.NewAzureStorageContainerSasToken

[blueww]

@vnextcoder

The error is because your oauth account don't have permission to generateUserDelegationKey.
To get SAS with Oauth storage context (New-AzStorageContext -UseConnectedAuth), we need first generate UserDelegationKey from server , then use the key to generate the SAS token.

Please check have you assigned correct roles to the Oauth login user (with Connect-AzAccount). like at least one of the following 4 roles on the specific storage account:

• Storage Blob Data Owner
• Storage Blob Data Contributor
• Storage Blob Data Reader
• Storage Blob Delegator

[vnextcoder]

Well, I was using my Administrator Account. still I should be required to get a new Context ?

[blueww]

The administrator account might only have the management plans roles, but not dataplane roles. (Like the management plane row "owner" don't have dataplane permission, but can assign the dataplane role to yourself)
Please make sure your login account has at least one of the above 4 roles on the related storage account.

You can find the details of all roles in link.

[vnextcoder]

I think I confused you in earlier comment.
I am using the Account which was used to Sign Up the Azure Subscription (Global Administrator) .

Should it not work with Global Administrator as well ?

[blueww]

@vnextcoder
When the account doesn't have the above 4 roles on the storage account ,even it's Global Administrator, it won't work to generate Oauth sas.