Using Azure storage shared access signatures in PowerShell

Here’s another quick PowerShell snippet I hope will be useful to you in Azure. It creates Azure storage account shared access signatures and is very simple. But the process is documented all over the place and at varying levels of usability. My experience with Azure over the past year has been that Azure’s number one DevOps challenge is poor documentation (and number two is poor Microsoft support). So, when I successfully “synthesize” some technique I like to share it with others in case they find themselves scratching their heads as I often do when it comes to figuring out DevOps in Azure.

The task I undertook was to re-install Azure Linux Diagnostic Extension 2.3 on an Ubuntu Linux server (this one!). This Linux VM was built from an Azure Marketplace image and came with LAD 2.3 pre-installed. I removed version 2.3 using the portal, as instructed, in an attempt to install version 3.0 of the Linux Diagnostic Extension.

Installation of the updated LAD 3.0 did not go well — it conflicts with the OMS extension and Microsoft has not fixed this yet.

I guess I shouldn’t have been surprised to discover that while you can remove LAD 2.3 using the Azure portal, apparently you cannot install it via the portal. Despite the documentation saying it can be installed via the portal, LAD doesn’t appear in the list of extensions for an add operation.

I figured that wouldn’t be an issue because anything you can do in the Azure portal can usually be done (better) in code. But, the LAD 2.3 doc page only offers an Azure CLI v1 example for re-installing LAD 2.3. Naturally, I decided to do it in PowerShell. 🙂

A required input to the installation is a json file containing an Azure storage account shared access signature. The Azure storage SAS is a clever way to permit specific users to access storage account resources without the need to share the storage accounts keys. In addition, Azure SASs can specify what types of storage can be accessed, what operations are permitted on them and for how long.

And there is where the documentation fails, in my opinion. In answer to the question, “What are the types, duration and accesses that are required to allow LAD 2.3 to access a storage account?” you must look at three or four different pages, none of which really condense the information needed. In addition to the LAD 2.3 and LAD 3.0 pages linked above, you also need to refer to the Azure Storage shared account signature documentation and the page for New-AzureStorageAccountSASToken. Phew!

If you’ve made this far, you really, really want to do this, so here’s the code. It generates a shared access signature suitable for use in the “private” json file you must provide to the extension and places it on your desktop. Note that the comments in the code detail what permissions are created.

        Generates an Azure Storage secured access signature suitable for use with the Azure Linux diagnostics extension
    .PARAMETER StorageAccount
        The name of the Azure Storage account in which to generate the SAS.
    .PARAMETER ResourceGroupName
        The resource group name containing the Azure Storage account.
    .PARAMETER AzureRmContext
        The name of a saved Azure context for authorization.
        .\CreateAzureStorageSharedAccountSignatureForLinuxDiagnosticExtension.ps1 -StorageAccount [string] -ResourceGroupName [string] -AzureRmContext [string]
        Alex Neihaus 2018-05-02
        (c) 2018 Air11 Technology LLC -- licensed under the Apache OpenSource 2.0 license,
        Licensed under the Apache License, Version 2.0 (the "License");
        you may not use this file except in compliance with the License.
        You may obtain a copy of the License at
        Unless required by applicable law or agreed to in writing, software
        distributed under the License is distributed on an "AS IS" BASIS,
        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
        See the License for the specific language governing permissions and
        limitations under the License.
        Author's blog:
    [Parameter(Mandatory = $true)]
    [Parameter(Mandatory = $true)]

If ($AzureRmContext)
    Import-Module AzureRM.profile
    Select-AzureRmContext $AzureRmContext

$c = (Get-AzureRmStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccount).context # Get the storage account context
# Create a never-expiring SAS with write, list, add, change, update permissions on containers and objects that are in blobs and tables. Then trim the question mark as it's not part of the SAS
$sas = (New-AzureStorageAccountSASToken -Service Blob, Table -ResourceType Container, Object -Permission "wlacu" -ExpiryTime "9999-12-31T23:59Z" -Context $c).Trim("?")
$sas | Out-File $HOME\Desktop\AzureSas.Txt






, ,



Leave a Reply

Your email address will not be published. Required fields are marked *