Next, we need to generate a new SAS token for the blob container, within the newly created storage account. The access to this container should be allowed only to authorized users supplying this SAS token along with their request. You should execute the next shown set of commands to create a new SAS token. The first command gets a reference to the newly created storage account. This is needed to obtain the security context used by the next command. The next command after it creates a new SAS token that expires within 100 days and only has read permission on the container and its constituent blob files:

$storage=Get-AzureRmStorageAccount-ResourceGroupNameARMPatterns-Name"hostforarmtemplates"

New-AzureStorageContainerSASToken -Container $containerName -Context $storage.Context -StartTime ([datetime]::Now) -ExpiryTime ([datetime]::Now.AddDays(100)) -Protocol HttpsOnly -Permission r -Verbose

The output from this command is the SAS token, which is displayed once and is not stored anywhere. You should make a note of the generated token and store it in a secure location. This SAS token will eventually be stored in an Azure Key Vault and used in ARM templates to access the subtemplates stored in this container. The generated SAS token is shown next:

?sv=2018-03-28&sr=c&sig=q47%2BlaoU8ZvrRmhrCR7iles3qoLhGMeu%2F4JXb8lwDdI%3D&spr=https&st=2019-02-08T10%3A50%3A03Z&se=2019-05-19T09%3A50%3A03Z&sp=r