Azure-cli: generate-sas creates SAS without t after ss= even though I specified table service in --services

Created on 3 Nov 2017 · 9Comments · Source: Azure/azure-cli

I tried to use generate-sas to create a SAS link with access to table service. But the created SAS token doesn't have t after ss==. It seems to intentionally ignore the request. The same command line works fine on my windows box with azure-cli(2.0.0). Is it a regression?

 az storage account generate-sas --account-name ubuntudiagnostic --expiry 2018-12-31T23:59Z --permissions wlacurdp --resource-types sco --services bfqt -o tsv --verbose
se=2018-12-31T23%3A59Z&sp=rwdlacup&sv=2017-04-17&**ss=bqf**&srt=sco&sig=<remove signature intentionally>

Environment summary

azure-cli (2.0.20)

acr (2.0.14)
acs (2.0.18)
appservice (0.1.19)
backup (1.0.2)
batch (3.1.6)
batchai (0.1.2)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.9)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.12)
core (2.0.20)
cosmosdb (0.1.14)
dla (0.0.13)
dls (0.0.16)
eventgrid (0.1.5)
extension (0.0.5)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.13)
keyvault (2.0.13)
lab (0.0.12)
monitor (0.0.11)
network (2.0.17)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.8)
redis (0.2.10)
resource (2.0.17)
role (2.0.14)
servicefabric (0.0.5)
sql (2.0.14)
storage (2.0.18)
vm (2.0.17)

Python location '/opt/az/bin/python3'
Extensions directory '/home/fliang/.azure/cliextensions'

Python (Linux) 3.6.1 (default, Oct 18 2017, 20:41:18)
[GCC 4.8.4]

Legal docs and information: aka.ms/AzureCliLegal

Service Attention Storage

Source

fliang-ms

All 9 comments

Table service is being moved out of azure storage and integrating with CosmosDB service. Therefore the table will not fall under the storage service's SAS token anymore. We kept the command structure to avoid breaking change in short-term.

To generate a SAS for table service please use az storage table generate-sas command.

troydai on 3 Nov 2017

👎2

I will close this issue for now. Please feel free to reopen if you have any follow up question.

troydai on 3 Nov 2017

how can I generate a single SAS token for both blob and table? Actually I am following up steps on https://docs.microsoft.com/en-us/azure/virtual-machines/linux/diagnostic-extension to create a Linux diagnostic extension. One of step is to create a SAS token for the extension to access both blob and table service. How can I achieve it now? Additionally, it is a breaking change. Adding some warning message to the output would be super helpful.

fliang-ms on 3 Nov 2017

👍1

I use az storage account generate-sas --account-name $my_diagnostic_storage_account --expiry 9999-12-31T23:59Z --permissions wlacu --resource-types co --services bt -o tsv the result like ss=b&sp=wlacu&sv=2017-04-17&sig=uc93nbzWheETbFAti2rScRKBXzGSfjALpKU4SQUrgUU%3d&srt=co&se=9999-12-31T23%3A59Z the sas could not create tables in storage account. I can not enable diagnostic extension. Who can update this document.

Walter-Shui on 30 Jan 2018

👍1

I test in my lab, Azure Power Shell seems does not have this issue.

Walter-Shui on 30 Jan 2018

@troydai

tjprescott on 30 Jan 2018

I will take a look later today.

troydai on 30 Jan 2018

This may be fixed. Today I tried with Azure CLI 2.0.29. The 'ss' segment in the SAS included the "t".

$ az storage account generate-sas --account-name foobar --expiry 2099-01-30T23:59Z --permissions wlacu --resource-types co --services bt -o tsv

se=2099-01-30T23%3A59Z&sp=wlacu&sv=2017-07-29&ss=bt&srt=co&sig=98Q1IcjZl7CYZf%2BaTojx8qVuNQuDdDHrSnzzQJE4au0%3D