Home

Tech Dive | Re-linking a storage account to an IoT Hub through Powershell

%3CLINGO-SUB%20id%3D%22lingo-sub-514170%22%20slang%3D%22en-US%22%3ETech%20Dive%20%7C%20Re-linking%20a%20storage%20account%20to%20an%20IoT%20Hub%20through%20Powershell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-514170%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20Customer%20Service%20and%20Support%20we%20have%20a%20great%20opportunity%20to%20see%20exactly%20how%20our%20customers%20are%20using%20Azure%20IoT%20tech%20and%20where%20their%20most%20frequent%20pain%20points%20are.%20We've%20come%20across%20an%20interesting%20scenario%2C%20for%20which%20we've%20tried%20to%20help%20out%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELet's%20say%20you%20need%20to%20upload%20files%20from%20a%20device%20to%20a%20blob%20storage.%20You%20can%20easily%20link%20your%20IoT%20Hub%20to%20a%20storage%20account%20in%20the%20Azure%20Portal!%20However%2C%20your%20company%20has%20security%20policies%20that%20require%20you%20to%20regenerate%20your%20Azure%20resource%20keys%20every%20X%20days%2Fmonths.%20This%20breaks%20the%20Hub-Blob%20link%20and%20you%20then%20have%20to%20re-link%20them%20again...%20manually...%3C%2FSPAN%3E%3CI%3E%20every%20single%20time...%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThus%20in%20the%20interest%20of%20public%20laziness%20and%20efficiency%2C%20we%20wrote%20a%20small%20Powershell%20script%20that%20does%20that%20for%20you!%20You%20can%20find%20it%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgist.github.com%2Fandren%2F2d9528aada482d7b5a5145f8833a8509%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Ehere%20as%20a%20gist%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe'll%20be%20dissecting%20a%20bit%20of%20the%20script%20below%20and%20going%20into%20some%20detail%20on%20IoT%20Hub%20file%20upload%20mechanics%2C%20so%20if%20you're%20already%20familiar%20with%20that%2C%20feel%20free%20to%20just%20get%20the%20gist%20above%20and%20skip%20the%20rest.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111737i5B0A7FBFBD2ADE76%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22fileUploadSketch.png%22%20title%3D%22fileUploadSketch.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E---------%20Azure%20IoT%20Hub%20File%20Upload%20----------%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhen%20you're%20linking%20a%20storage%20container%20(located%20inside%20a%20storage%20account)%20to%20an%20IoT%20Hub%2C%20you're%20essentially%20just%20telling%20the%20Hub%20to%20fetch%20the%20storage%20connection%20string%20(connString)%2C%20which%20is%20then%20kept%20in%20configuration%20inside%20the%20Hub.%20There%20is%20no%20continuously%20synchronizing%20relationship%20between%20the%20storage%20account%20and%20the%20IoT%20Hub.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThus%20when%20the%20storage%20connString%20changes%2C%20the%20one%20that%20is%20in%20the%20IoT%20Hub%20config%20is%20no%20longer%20valid%20and%20must%20be%20fetched%20again%2C%20otherwise%20you'll%20get%20an%20%22unauthorized%22%20style%20of%20exception%20on%20the%20device%20side%20when%20it%20tries%20to%20contact%20the%20storage%20account%20directly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20get%20more%20details%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fiot-hub%2Fiot-hub-devguide-file-upload%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Efile%20upload%20here%3C%2FA%3E%2C%20but%20in%20a%20quick%20visual%20overview%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20device%20requests%20the%20IoT%20Hub%20to%20get%20an%20access%20token%20for%20its%20linked%20storage%20account.%20This%20token%20is%20specific%20for%20the%20file%20being%20uploaded.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20IoT%20Hub%20then%20takes%20the%20storage%20connString%20in%20its%20configuration%2C%20builds%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-dotnet-shared-access-signature-part-1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESAS%20URI%3C%2FA%3E%20and%20sends%20it%20to%20the%20device.%20The%20IoT%20Hub%20acts%20only%20as%20an%20intermediary%20for%20the%20access%20tokens%2C%20not%20participating%20in%20the%20upload%20process%20directly.%3C%2FLI%3E%0A%3CLI%3EThe%20device%20authenticates%20against%20the%20storage%20account%20API%20and%20uploads%20the%20promised%20file.%3C%2FLI%3E%0A%3CLI%3EWhen%20the%20upload%20is%20complete%20the%20device%20then%20notifies%20the%20IoT%20Hub%20of%20completion%20and%20how%20long%20it%20took.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E-------------------------------------------------------%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E----------%20iotHubStorReLinker.ps1%26nbsp%3B%20-----------%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you're%20just%20getting%20started%20with%20Azure%20Powershell%20commands%2C%20check%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Finstall-az-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20link%20out%3C%2FA%3E.%20At%20the%20moment%20there's%20a%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fazure-powershell-cross-platform-az-module-replacing-azurerm%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Enew%20cross%20platform%20module%3C%2FA%3E%20(Az)%20that%20is%20replacing%20the%20older%20one%20(AzureRM)%2C%20so%20you%20can%20identify%20new%2Fold%20commands%20based%20on%20their%20prefix.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20use%20the%20script%20you'll%20need%20to%20define%20these%20three%20parameters%3A%3C%2FP%3E%0A%3CP%3E%23%20---------%20Config%20Parameters%20-------------%20%26lt%3B-------%20Start%20here!%20-----%3C%2FP%3E%0A%3CP%3E%24IoTHubName%20%3D%20%22_____________%22%3C%2FP%3E%0A%3CP%3E%24IoTHubResourceGroup%20%3D%20%22_____________%22%3C%2FP%3E%0A%3CP%3E%24StorageAccountResourceGroup%20%3D%20%22_____________%22%3C%2FP%3E%0A%3CP%3E%23%20-----------------------------------------%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20a%20very%20high-level%20description%2C%20this%20script%20does%20the%20following%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ETakes%20the%20IoT%20Hub%20configuration%3C%2FLI%3E%0A%3CLI%3EGets%20the%20storage%20account%20linked%20to%20that%20IoT%20Hub%3C%2FLI%3E%0A%3CLI%3ERegenerates%20the%20storage%20account%20keys%3C%2FLI%3E%0A%3CLI%3ERetrieves%20one%20of%20the%20newly%20regenerated%20keys%3C%2FLI%3E%0A%3CLI%3EBuilds%20a%20new%20storage%20connection%20string%20for%20the%20IoT%20Hub%20(based%20on%20one%20of%20the%20keys%20regenerated%20in%204))%3C%2FLI%3E%0A%3CLI%3EChanges%20the%20previously%20saved%20IoT%20Hub%20config%20to%20include%20the%20new%20storage%20connection%20string%2C%20and%20then%20applies%20the%20config%20to%20the%20IoT%20Hub%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3E-------------------------------------------------------%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHuge%20thanks%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F257019%22%20target%3D%22_blank%22%3E%40JPRodrig%3C%2FA%3E%2C%26nbsp%3Bfor%20helping%20out%20with%20the%20script%20and%20reviewing%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20this%20content%20was%20helpful%20and%20you'd%20like%20to%20see%20more%20posts%20like%20these%2C%20please%20feel%20free%20to%20let%20us%20know%20in%20the%20comments%20below%20or%20in%20a%20private%20message.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
andre_n
Microsoft

In Customer Service and Support we have a great opportunity to see exactly how our customers are using Azure IoT tech and where their most frequent pain points are. We've come across an interesting scenario, for which we've tried to help out:

 

Let's say you need to upload files from a device to a blob storage. You can easily link your IoT Hub to a storage account in the Azure Portal! However, your company has security policies that require you to regenerate your Azure resource keys every X days/months. This breaks the Hub-Blob link and you then have to re-link them again... manually... every single time...

 

Thus in the interest of public laziness and efficiency, we wrote a small Powershell script that does that for you! You can find it here as a gist.

 

We'll be dissecting a bit of the script below and going into some detail on IoT Hub file upload mechanics, so if you're already familiar with that, feel free to just get the gist above and skip the rest.

 

fileUploadSketch.png

 

--------- Azure IoT Hub File Upload ----------

When you're linking a storage container (located inside a storage account) to an IoT Hub, you're essentially just telling the Hub to fetch the storage connection string (connString), which is then kept in configuration inside the Hub. There is no continuously synchronizing relationship between the storage account and the IoT Hub.

 

Thus when the storage connString changes, the one that is in the IoT Hub config is no longer valid and must be fetched again, otherwise you'll get an "unauthorized" style of exception on the device side when it tries to contact the storage account directly.

 

You can get more details on file upload here, but in a quick visual overview:

  1. The device requests the IoT Hub to get an access token for its linked storage account. This token is specific for the file being uploaded.

    The IoT Hub then takes the storage connString in its configuration, builds a SAS URI and sends it to the device. The IoT Hub acts only as an intermediary for the access tokens, not participating in the upload process directly.
  2. The device authenticates against the storage account API and uploads the promised file.
  3. When the upload is complete the device then notifies the IoT Hub of completion and how long it took.

 

-------------------------------------------------------

 

---------- iotHubStorReLinker.ps1  -----------

 

If you're just getting started with Azure Powershell commands, check this link out. At the moment there's a new cross platform module (Az) that is replacing the older one (AzureRM), so you can identify new/old commands based on their prefix.

 

To use the script you'll need to define these three parameters:

# --------- Config Parameters ------------- <------- Start here! -----

$IoTHubName = "_____________"

$IoTHubResourceGroup = "_____________"

$StorageAccountResourceGroup = "_____________"

# -----------------------------------------

 

In a very high-level description, this script does the following:

  1. Takes the IoT Hub configuration
  2. Gets the storage account linked to that IoT Hub
  3. Regenerates the storage account keys
  4. Retrieves one of the newly regenerated keys
  5. Builds a new storage connection string for the IoT Hub (based on one of the keys regenerated in 4))
  6. Changes the previously saved IoT Hub config to include the new storage connection string, and then applies the config to the IoT Hub

-------------------------------------------------------

 

Huge thanks to @JPRodrig, for helping out with the script and reviewing

 

If this content was helpful and you'd like to see more posts like these, please feel free to let us know in the comments below or in a private message.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies