Create a shared access signature on an ADLS gen2

**************March 2021 Update************

It’s now possible to generate the Shared Access Signature using the online portal :

Storage accounts with Hierarchical Namespace activated (also called Azure Data Lake Storage Gen 2) have the main advantage of managing access via Azure AD authentication and therefore being able to give rights to a UPN (POSIX rights). However, for compatibility purposes, a large part of the blob API remains accessible, so it is possible to continue to authenticate with the storage account key (even if it is wrong) or with a SAS key.

Even if the management of SAS Token is now supported by ADLS gen2, the Azure Storage Explorer interface or the online explorer does not yet allow the generation of the signature.

Here is the PowerShell code that can be used to generate a read signature.

Example for the rights on a blob:

Connect-AzAccount

$ctx = New-AzStorageContext -ConnectionString 
"DefaultEndpointsProtocol=https;AccountName=<AccountName>;AccountKey=<AccountKey>;EndpointSuffix=core.windows.net"


New-AzStorageBlobSASToken -Container "<container>" -Blob "folder/file.csv" -Permission r -context $ctx -StartTime "2019-01-01" -ExpiryTime "2030-01-01"

--output ?sv=2019-02-02&sr=b&sig=TFTCDZ0E2fqiOKssdqzdqzdqzdqm6yHyssqzzPEG%2FBoas%3D&st=2018-12-31T23%3A00%3A00Z&se=2029-12-31T23%3A00%3A00Z&sp=r

Example for the rights on a container object:

Connect-AzAccount

$ctx = New-AzStorageContext -ConnectionString 
"DefaultEndpointsProtocol=https;AccountName=<AccountName>;AccountKey=<AccountKey>;EndpointSuffix=core.windows.net"

New-AzStorageContainerSASToken -Container "<container>" -Permission r -context $ctx -StartTime "2019-01-01" -ExpiryTime "2030-01-01"

--output ?sv=2019-02-02&sr=c&sig=TFTCDZ0E2fqiOKssdqzdqzdqzdqm6yHyssqzzPEG%2FBoas%3D&st=2018-12-31T23%3A00%3A00Z&se=2029-12-31T23%3A00%3A00Z&sp=r

All you have to do is concatenate the returned string to the full path of the file and you will have access to the SAS Token database.