az keyvault storage sas-definition

Manage storage account SAS definitions.

Commands

az keyvault storage sas-definition create

Creates or updates a new SAS definition for the specified storage account.

az keyvault storage sas-definition delete

Deletes a SAS definition from a specified storage account.

az keyvault storage sas-definition list

List storage SAS definitions for the given storage account.

az keyvault storage sas-definition list-deleted

Lists deleted SAS definitions for the specified vault and storage account.

az keyvault storage sas-definition recover

Recovers the deleted SAS definition.

az keyvault storage sas-definition show

Gets information about a SAS definition for the specified storage account.

az keyvault storage sas-definition show-deleted

Gets the specified deleted sas definition.

az keyvault storage sas-definition update

Updates the specified attributes associated with the given SAS definition.

az keyvault storage sas-definition create

Creates or updates a new SAS definition for the specified storage account.

az keyvault storage sas-definition create --account-name
                                          --name
                                          --sas-type {account, service}
                                          --template-uri
                                          --validity-period
                                          --vault-name
                                          [--disabled {false, true}]
                                          [--tags]

Examples

Add a sas-definition for an account sas-token

$sastoken = az storage account generate-sas --expiry 2020-01-01 --permissions rw \ --resource-types sco --services bfqt --https-only --account-name storageacct     \ --account-key 00000000

az keyvault storage sas-definition create --vault-name vault --account-name storageacct   \ -n rwallserviceaccess --validity-period P2D --sas-type account --template-uri $sastoken

Add a sas-definition for a blob sas-token

$sastoken = az storage blob generate-sas --account-name storageacct --account-key 00000000 \ -c container1 -n blob1 --https-only --permissions rw

$url = az storage blob url --account-name storageacct -c container1 -n blob1

az keyvault storage sas-definition create --vault-name vault --account-name storageacct   \ -n rwblobaccess --validity-period P2D --sas-type service --template-uri $url?$sastoken

Required Parameters

--account-name

Name to identify the storage account in the vault.

--name -n

Name to identify the SAS definition in the vault.

--sas-type

The type of SAS token the SAS definition will create.

accepted values: account, service
--template-uri

The SAS definition token template signed with the key 00000000. In the case of an account token this is only the sas token itself, for service tokens, the full service endpoint url along with the sas token. Tokens created according to the SAS definition will have the same properties as the template.

--validity-period

The validity period of SAS tokens created according to the SAS definition in ISO-8601, such as "PT12H" for 12 hour tokens.

--vault-name

Name of the key vault.

Optional Parameters

--disabled

Add the storage account in a disabled state.

accepted values: false, true
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

az keyvault storage sas-definition delete

Deletes a SAS definition from a specified storage account.

This operation requires the storage/deletesas permission.

az keyvault storage sas-definition delete [--account-name]
                                          [--id]
                                          [--name]
                                          [--vault-name]

Optional Parameters

--account-name

Name to identify the storage account in the vault. Required if --id is not specified.

--id

Id of the SAS definition. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the SAS definition in the vault. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault storage sas-definition list

List storage SAS definitions for the given storage account.

This operation requires the storage/listsas permission.

az keyvault storage sas-definition list --account-name
                                        --vault-name
                                        [--maxresults]

Required Parameters

--account-name

Name to identify the storage account in the vault.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault storage sas-definition list-deleted

Lists deleted SAS definitions for the specified vault and storage account.

The Get Deleted Sas Definitions operation returns the SAS definitions that have been deleted for a vault enabled for soft-delete. This operation requires the storage/listsas permission.

az keyvault storage sas-definition list-deleted --account-name
                                                --vault-name
                                                [--maxresults]

Required Parameters

--account-name

Name to identify the storage account in the vault.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault storage sas-definition recover

Recovers the deleted SAS definition.

Recovers the deleted SAS definition for the specified storage account. This operation can only be performed on a soft-delete enabled vault. This operation requires the storage/recover permission.

az keyvault storage sas-definition recover --account-name
                                           --name
                                           --vault-name

Required Parameters

--account-name

Name to identify the storage account in the vault.

--name -n

Name to identify the SAS definition in the vault.

--vault-name

Name of the key vault.

az keyvault storage sas-definition show

Gets information about a SAS definition for the specified storage account.

This operation requires the storage/getsas permission.

az keyvault storage sas-definition show [--account-name]
                                        [--id]
                                        [--name]
                                        [--vault-name]

Optional Parameters

--account-name

Name to identify the storage account in the vault. Required if --id is not specified.

--id

Id of the SAS definition. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the SAS definition in the vault. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault storage sas-definition show-deleted

Gets the specified deleted sas definition.

The Get Deleted SAS Definition operation returns the specified deleted SAS definition along with its attributes. This operation requires the storage/getsas permission.

az keyvault storage sas-definition show-deleted --account-name
                                                --name
                                                --vault-name

Required Parameters

--account-name

Name to identify the storage account in the vault.

--name -n

Name to identify the SAS definition in the vault.

--vault-name

Name of the key vault.

az keyvault storage sas-definition update

Updates the specified attributes associated with the given SAS definition.

This operation requires the storage/setsas permission.

az keyvault storage sas-definition update [--account-name]
                                          [--disabled {false, true}]
                                          [--id]
                                          [--name]
                                          [--sas-type {account, service}]
                                          [--tags]
                                          [--template-uri]
                                          [--validity-period]
                                          [--vault-name]

Optional Parameters

--account-name

Name to identify the storage account in the vault. Required if --id is not specified.

--disabled

Add the storage account in a disabled state.

accepted values: false, true
--id

Id of the SAS definition. If specified all other 'Id' arguments should be omitted.

--name -n

Name to identify the SAS definition in the vault. Required if --id is not specified.

--sas-type

The type of SAS token the SAS definition will create.

accepted values: account, service
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--template-uri

The SAS definition token template signed with the key 00000000. In the case of an account token this is only the sas token itself, for service tokens, the full service endpoint url along with the sas token. Tokens created according to the SAS definition will have the same properties as the template.

--validity-period

The validity period of SAS tokens created according to the SAS definition in ISO-8601, such as "PT12H" for 12 hour tokens.

--vault-name

Name of the key vault. Required if --id is not specified.