[Feature]: New-AzStorageBlobSASToken New-AzStorageAccountSASToken etc should support -AsSecureString

[NaridaL]

Description of the new feature

I'm creating a SAS url with New-AzStorageBlobSASToken and writing it to an AKV using Set-AzKeyVaultSecret.

Set-AzKeyVaultSecret expects a securestring, and when it doesn't get one, PowerShell is helpful and prints out the whole value. :-)

The New-AzStorage*SASToken powershell cmdlets should support an -AsSecureString parameter, which changes the return value to a secure string, similar to how Get-AzAccessToken handles it.

Proposed implementation details (optional)

No response

[blueww]

@NaridaL

Will following way to convert sas to a secureString works for you?

$sas = New-AzStorage*SASToken .....
$secureString =  ConvertTo-SecureString $sas -AsPlainText -Force

@isra-fel
Would you please help to guild how to make New-AzStorage*SASToken work together with Set-AzKeyVaultSecret?
What's the overall plan for -AsSecureString parameter across all PSH cmdlets?

[NaridaL]

@blueww yes that works as a workaround, but it is getting flagged by our code quality pipelines.

However it is getting flagged by PSScriptAnalyzer PSAvoidUsingConvertToSecureStringWithPlainText
https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingconverttosecurestringwithplaintext?view=ps-modules

[blueww]

@YanaXu , @isra-fel

Do you have any idea how to have the secure string related flag?

[isra-fel]

Thanks for your feedback
@YanaXu could you share our proposal for redesign New-AzStorageBlobSASToken cmdlet?

[YanaXu]

Hi @blueww

Overall, our goal is to convert the output type from String to SecureString. To avoid breaking user usage and provide a graceful experience, we divide this conversion process into 3 steps:

• Step 1: Add an output type SecureString and introduce an optional parameter AsSecureString to control whether the output is String or SecureString. Also, add the breaking change message for Step 2.
  • PR example for step 1
• Step 2: Change the output type to only support SecureString, while keeping the AsSecureString parameter, but its value is no longer used. Add the breaking change message if necessary for Step 3.
  • PR example for step 2
• Step 3 (Optional): Remove the AsSecureString parameter.

[blueww]

@YanaXu

Thanks for the update!
When do we plan to implement each steps in Storage?
Feel free to let me know if any action needed from storage team for this.

[YanaXu]

Hi @blueww,

We are preparing to implement this change across all modules. The design process is still ongoing, but it is nearing completion. Next, we will apply this change to each module sequentially.

If this issue is urgent, you can refer to my PRs, convert them into a ready PR, and proceed with the merge.