Automate BlobBridge SAS Rotation with Azure Functions

October 2025 • 10 min read

Keep BlobBridge running on least-privilege SAS tokens without chasing expiry dates.

Automation

BlobBridge relies on container-scoped SAS tokens. They should expire on a predictable cadence (90 days or less), but manual rotation is error-prone and usually the first task to slip. This walkthrough shows how to automate renewal with Azure Functions, Key Vault and user delegation keys so SharePoint admins never touch a token again.

Why automate rotation?

  • Short-lived tokens reduce blast radius. If a SAS leaks, the window of misuse is days, not months.
  • Auditors expect evidence. Automated logs and approvals prove your governance is real, not aspirational.
  • BlobBridge stays online. Scheduled rotation avoids midnight outages when a token silently expires.
Prerequisite: Follow the docs checklist to ensure Storage account key access is enabled and the automation identity has Storage Blob Data Owner role.

Reference architecture

Use the following components to keep responsibilities clear:

Component Purpose Notes
Azure Function (PowerShell) Generates container SAS tokens with a user delegation key. Managed identity needs the 'Storage Blob Data Owner' role.
Key Vault Secret Stores the active SAS token. Version history provides rollback if a rotation fails.
Timer Trigger (CRON) Schedules rotation (for example the first day of the month). Use 0 0 2 1 * * for 02:00 UTC on day one of each month.
Logic App (optional) Notifies SharePoint admins and updates configuration. Send Teams/email message with the new expiry date.

Implementation steps

  1. Create a system-assigned managed identity on the Function App and grant it the Storage Blob Data Owner role on the target storage account.
  2. Configure CORS for the storage account as described in the documentation so BlobBridge can consume the new SAS immediately.
  3. Add application settings for STORAGE_ACCOUNT_NAME, CONTAINER_NAME, KEYVAULT_URI and SAS_LIFETIME_DAYS (set to 90 for the default cadence).
  4. Create the Key Vault secret (for example blobbridge-container-sas) and grant the managed identity write permissions.
  5. Deploy the PowerShell function below and set the timer trigger to your required cadence.
  6. Update BlobBridge configuration to reference the Key Vault secret (via Azure App Configuration or your chosen secure store).

The rotation function

The script uses the latest storage SDK to request a user delegation key, scopes to the container, and pushes the new SAS into Key Vault.

using namespace Azure.Storage.Blobs
using namespace Azure.Storage.Sas

param($Timer)

$account   = $env:STORAGE_ACCOUNT_NAME
$container = $env:CONTAINER_NAME
$vaultUri  = $env:KEYVAULT_URI
$lifetime  = [int]::Parse($env:SAS_LIFETIME_DAYS)

$context = (Connect-AzAccount -Identity).Context
Set-AzContext -Subscription $context.Subscription -Tenant $context.Tenant

$startTime  = (Get-Date).AddMinutes(-15)
$expiryTime = $startTime.AddDays($lifetime)

$delegationKey = New-AzStorageAccountSASToken `
  -Service Blob `
  -ResourceType Service `
  -Permission rl `
  -StartTime $startTime `
  -ExpiryTime $expiryTime `
  -AccountName $account `
  -Protocol HttpsOnly `
  -AsUserDelegation `
  -Context $context

$builder = [BlobSasBuilder]::new()
$builder.BlobContainerName = $container
$builder.Resource          = "c"
$builder.StartsOn          = $startTime
$builder.ExpiresOn         = $expiryTime
$builder.SetPermissions([BlobContainerSasPermissions]::Read, `
                        [BlobContainerSasPermissions]::Write, `
                        [BlobContainerSasPermissions]::List, `
                        [BlobContainerSasPermissions]::Create, `
                        [BlobContainerSasPermissions]::Delete)

$credential = [Azure.Storage.Sas.UserDelegationSasCredentials]::Parse($delegationKey)
$sasToken   = $builder.ToSasQueryParameters($credential).ToString()

Set-AzKeyVaultSecret -VaultName $vaultUri.Split('/')[-1] `
                     -Name "blobbridge-container-sas" `
                     -SecretValue (ConvertTo-SecureString -String "?$sasToken" -AsPlainText -Force)

Write-Host "Generated SAS for $container valid until $expiryTime (UTC)"
Tip: Keep SAS_LIFETIME_DAYS shorter than your Key Vault secret version retention window so rollback is always possible.

Operational runbook

  • Monitor Function App failures and Key Vault secret writes in Azure Monitor.
  • Notify SharePoint admins automatically with the next expiry date and link to the updated docs.
  • Test BlobBridge against the new SAS in a staging page before the timer updates production secrets.
  • Document the rotation cadence in your governance playbook so auditors can trace control ownership.

What to do next

Rotate tokens on demand after exceptional events (for example terminating a contractor) by invoking the function manually, and extend the pipeline to refresh multiple containers by looping through a JSON configuration file.