Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: New-AzStorageBlobSASToken New-AzStorageAccountSASToken etc should support -AsSecureString #27110

Open
NaridaL opened this issue Feb 13, 2025 · 5 comments
Open

[Feature]: New-AzStorageBlobSASToken New-AzStorageAccountSASToken etc should support -AsSecureString #27110

NaridaL opened this issue Feb 13, 2025 · 5 comments
Assignees
@YanaXu
Labels
feature-request This issue requires a new behavior in the product in order be resolved.

Comments

@NaridaL
Copy link
Contributor

NaridaL commented Feb 13, 2025

Description of the new feature

I'm creating a SAS url with New-AzStorageBlobSASToken and writing it to an AKV using Set-AzKeyVaultSecret.

Set-AzKeyVaultSecret expects a securestring, and when it doesn't get one, PowerShell is helpful and prints out the whole value. :-)

The New-AzStorage*SASToken powershell cmdlets should support an -AsSecureString parameter, which changes the return value to a secure string, similar to how Get-AzAccessToken handles it.

Proposed implementation details (optional)

No response
@NaridaL NaridaL added feature-request This issue requires a new behavior in the product in order be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Feb 13, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Feb 13, 2025
@blueww
Copy link
Member

blueww commented Feb 17, 2025

@NaridaL

Will following way to convert sas to a secureString works for you?

$sas = New-AzStorage*SASToken .....
$secureString =  ConvertTo-SecureString $sas -AsPlainText -Force

@isra-fel
Would you please help to guild how to make New-AzStorage*SASToken work together with Set-AzKeyVaultSecret?
What's the overall plan for -AsSecureString parameter across all PSH cmdlets?

@NaridaL
Copy link
Contributor Author

NaridaL commented Feb 17, 2025

@blueww yes that works as a workaround, but it is getting flagged by our code quality pipelines.

However it is getting flagged by PSScriptAnalyzer PSAvoidUsingConvertToSecureStringWithPlainText
https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingconverttosecurestringwithplaintext?view=ps-modules

@blueww
Copy link
Member

blueww commented Feb 17, 2025

@YanaXu , @isra-fel

Do you have any idea how to have the secure string related flag?

@isra-fel
Copy link
Member

Thanks for your feedback
@YanaXu could you share our proposal for redesign New-AzStorageBlobSASToken cmdlet?

@YanaXu
Copy link
Contributor

YanaXu commented Feb 21, 2025

Hi @blueww

Overall, our goal is to convert the output type from String to SecureString. To avoid breaking user usage and provide a graceful experience, we divide this conversion process into 3 steps:

  • Step 1: Add an output type SecureString and introduce an optional parameter AsSecureString to control whether the output is String or SecureString. Also, add the breaking change message for Step 2.
  • Step 2: Change the output type to only support SecureString, while keeping the AsSecureString parameter, but its value is no longer used. Add the breaking change message if necessary for Step 3.
  • Step 3 (Optional): Remove the AsSecureString parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YanaXu YanaXu

Labels
feature-request This issue requires a new behavior in the product in order be resolved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blueww @NaridaL @isra-fel @YanaXu