Add support for SAS key

README.md

@@ -10,7 +10,7 @@ Get precompiled binaries from the [releases page](https://github.com/evenh/az-bl
 
 ```bash
 export AZURE_ACCOUNT_NAME=myaccount
-export AZURE_ACCOUNT_KEY=secretKey
+export AZURE_ACCOUNT_KEY=secretKey # --sas-key is also supported as an alternative
 export AZURE_CONTAINER=migrationcontainer
 
 ./az-blob-hashdeep generate --account-name=$AZURE_ACCOUNT_NAME \

cmd/generate.go

@@ -29,6 +29,7 @@ import (
 var (
 	accountName string
 	accountKey  string
+	sasToken    string
 	container   string
 	outputFile  string
 	prefix      string
@@ -46,14 +47,15 @@ func init() {
 
 	generateCmd.Flags().StringVarP(&accountName, "account-name", "n", "", "Azure Blob Storage Account Name")
 	generateCmd.Flags().StringVarP(&accountKey, "account-key", "k", "", "Azure Blob Storage Account Key")
+	generateCmd.Flags().StringVarP(&sasToken, "sas-token", "s", "", "Azure Blob Storage SAS Token")
 	generateCmd.Flags().StringVarP(&container, "container", "c", "", "Azure Blob Storage container")
 	generateCmd.Flags().StringVarP(&outputFile, "output", "o", "", "File path to write results to (e.g. ~/az-hashdeep.txt)")
 	generateCmd.Flags().StringVarP(&prefix, "prefix", "p", "", "Optional prefix to prepend to file paths")
 	generateCmd.Flags().BoolVar(&calculate, "calculate", false, "Generate MD5 hashes locally instead of pulling from metadata")
 }
 
 func run(cmd *cobra.Command, args []string) {
-	c, err := internal.NewGenerateConfig(accountName, accountKey, container, outputFile, prefix, calculate, workerCount)
+	c, err := internal.NewGenerateConfig(accountName, accountKey, sasToken, container, outputFile, prefix, calculate, workerCount)
 
 	if err != nil {
 		log.Fatalf("Configuration error: %+v", err)

internal/config.go

@@ -17,22 +17,25 @@ package internal
 
 import (
 	"errors"
+	"strings"
 )
 
 type GenerateConfig struct {
 	AccountName string
 	AccountKey  string
+	SasToken    string
 	Container   string
 	OutputFile  string
 	Prefix      string
 	Calculate   bool
 	WorkerCount int
 }
 
-func NewGenerateConfig(account string, key string, container string, outputFile string, prefix string, calculate bool, workerCount int) (*GenerateConfig, error) {
+func NewGenerateConfig(account string, key string, sasToken string, container string, outputFile string, prefix string, calculate bool, workerCount int) (*GenerateConfig, error) {
 	config := &GenerateConfig{
 		AccountName: account,
 		AccountKey:  key,
+		SasToken:    sasToken,
 		Container:   container,
 		OutputFile:  outputFile,
 		Prefix:      prefix,
@@ -56,8 +59,12 @@ func (c *GenerateConfig) Validate() error {
 		return errors.New("account name must be specified")
 	}
 
-	if c.AccountKey == "" {
-		return errors.New("account key must be specified")
+	if c.AccountKey == "" && c.SasToken == "" {
+		return errors.New("either account key or SAS token must be specified")
+	}
+
+	if c.SasToken != "" {
+		c.SasToken = strings.TrimPrefix(c.SasToken, "?")
 	}
 
 	if c.OutputFile == "" {

internal/generate.go

@@ -150,17 +150,7 @@ func azureCheck(ctx context.Context, c *GenerateConfig) azblob.ContainerClient {
 	logger := log.WithField("phase", "azure_checks")
 	logger.Infof("request to traverse container '%s' from storage account '%s' – initiating self-test...", c.Container, c.AccountName)
 
-	// Configure credentials
-	u := fmt.Sprintf("https://%s.blob.core.windows.net/%s", c.AccountName, c.Container)
-
-	logger.Debug("checking if credentials passes a smoke test")
-	credential, err := azblob.NewSharedKeyCredential(c.AccountName, c.AccountKey)
-	if err != nil {
-		handleErrors("credential_configuration", err)
-		os.Exit(1)
-	}
-
-	container, err := azblob.NewContainerClientWithSharedKey(u, credential, nil)
+	container, err := configureContainerClient(c)
 	if err != nil {
 		handleErrors("az_client_configuration", err)
 		os.Exit(1)
@@ -178,3 +168,23 @@ func azureCheck(ctx context.Context, c *GenerateConfig) azblob.ContainerClient {
 
 	return container
 }
+
+func configureContainerClient(c *GenerateConfig) (azblob.ContainerClient, error) {
+	logger := log.WithField("phase", "configure_auth")
+	u := fmt.Sprintf("https://%s.blob.core.windows.net/%s", c.AccountName, c.Container)
+
+	if len(c.SasToken) > 0 {
+		logger.Infof("Using SAS token")
+		sasFormat := fmt.Sprintf("%s?%s", u, c.SasToken)
+		return azblob.NewContainerClientWithNoCredential(sasFormat, nil)
+	}
+
+	// Account key
+	logger.Infof("Using Account Key")
+	credential, err := azblob.NewSharedKeyCredential(c.AccountName, c.AccountKey)
+	if err != nil {
+		log.Fatalf("could not configure account key: %+v", err)
+	}
+
+	return azblob.NewContainerClientWithSharedKey(u, credential, nil)
+}