KevinBusch
commented
3 years ago Took a quick look at this and ran into issues when generating SAS tokens and attempting to use those SAS tokens when authenticating azcopy requests. For clarity, the current SAS tokens being used in the currently supported functionality is an account level SAS token that have an expiration date that can be set to any time in the future without limitation (100 years from now for instance). When generating them using Azure AD, it creates user SAS tokens that have a 7 day in the future expiration date limit.
See
src/and-cli-restore-azure-storage.ts. Currently, this aspect only supports authentication via a means of passing in an already generated SAS token. This is not ideal because this forces the SAS token to be generated up front for a very long period of time (lifetime of product). SAS tokens are required for interacting with blob storage usingazcopy. Suggest adding in support to useazcli to generate SAS using https://docs.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az_storage_container_generate_sas by first authenticating usingazin some other manner (service principle, username, etc...)