Merge pull request #86986 from tamram/tamram-0828

rjagiewich · web-flow · commit 3fded16783b3 · 2019-08-29T11:19:33.000-07:00
add user delegation sas revocation to CLI how-to
diff --git a/articles/storage/blobs/TOC.yml b/articles/storage/blobs/TOC.yml
@@ -352,7 +352,7 @@
             href: ../common/storage-account-sas-create-dotnet.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
           - name: Define a stored access policy
             href: ../common/storage-stored-access-policy-define-dotnet.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json      
-      - name: Configure customer-managed keys for service encryption
+      - name: Use customer-managed keys for service encryption
         items:
         - name: Portal
           href: ../common/storage-encryption-keys-portal.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
diff --git a/articles/storage/blobs/storage-blob-user-delegation-sas-create-cli.md b/articles/storage/blobs/storage-blob-user-delegation-sas-create-cli.md
@@ -6,7 +6,7 @@ author: tamram
 
 ms.service: storage
 ms.topic: article
-ms.date: 08/12/2019
+ms.date: 08/29/2019
 ms.author: tamram
 ms.reviewer: cbrooks
 ms.subservice: blobs
@@ -57,7 +57,7 @@ When creating a user delegation SAS, the `--auth-mode login` and `--as-user para
 
 ### Create a user delegation SAS for a container
 
-To create a user delegation SAS for a container with Azure CLI, call the [az storage container generate-sas](/cli/azure/storage/container#az-storage-container-generate-sas) command.
+To create a user delegation SAS for a container with the Azure CLI, call the [az storage container generate-sas](/cli/azure/storage/container#az-storage-container-generate-sas) command.
 
 Supported permissions for a user delegation SAS on a container include Add, Create, Delete, List, Read, and Write. Permissions can be specified singly or combined. For more information about these permissions, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas).
 
@@ -81,7 +81,7 @@ se=2019-07-27&sp=r&sv=2018-11-09&sr=c&skoid=<skoid>&sktid=<sktid>&skt=2019-07-26
 
 ### Create a user delegation SAS for a blob
 
-To create a user delegation SAS for a blob with Azure CLI, call the [az storage blob generate-sas](/cli/azure/storage/blob#az-storage-blob-generate-sas) command.
+To create a user delegation SAS for a blob with the Azure CLI, call the [az storage blob generate-sas](/cli/azure/storage/blob#az-storage-blob-generate-sas) command.
 
 Supported permissions for a user delegation SAS on a blob include Add, Create, Delete, Read, and Write. Permissions can be specified singly or combined. For more information about these permissions, see [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas).
 
@@ -109,6 +109,21 @@ https://storagesamples.blob.core.windows.net/sample-container/blob1.txt?se=2019-
 > [!NOTE]
 > A user delegation SAS does not support defining permissions with a stored access policy.
 
+## Revoke a user delegation SAS
+
+To revoke a user delegation SAS from the Azure CLI, call the [az storage account revoke-delegation-keys](/cli/azure/storage/account#az-storage-account-revoke-delegation-keys) command. This command revokes all of the user delegation keys associated with the specified storage account. Any shared access signatures associated with those keys are invalidated.
+
+Remember to replace placeholder values in angle brackets with your own values:
+
+```azurecli-interactive
+az storage account revoke-delegation-keys \
+    --name <storage-account> \
+    --resource-group <resource-group>
+```
+
+> [!IMPORTANT]
+> Both the user delegation key and RBAC role assignments are cached by Azure Storage, so there may be a delay between when you initiate the process of revocation and when an existing user delegation SAS becomes invalid.
+
 ## Next steps
 
 - [Create a user delegation SAS (REST API)](/rest/api/storageservices/create-user-delegation-sas)
diff --git a/articles/storage/blobs/storage-blob-user-delegation-sas-create-powershell.md b/articles/storage/blobs/storage-blob-user-delegation-sas-create-powershell.md
@@ -6,7 +6,7 @@ author: tamram
 
 ms.service: storage
 ms.topic: article
-ms.date: 08/12/2019
+ms.date: 08/29/2019
 ms.author: tamram
 ms.reviewer: cbrooks
 ms.subservice: blobs
@@ -161,6 +161,9 @@ Revoke-AzStorageAccountUserDelegationKeys -ResourceGroupName <resource-group> `
     -StorageAccountName <storage-account>
 ```
 
+> [!IMPORTANT]
+> Both the user delegation key and RBAC role assignments are cached by Azure Storage, so there may be a delay between when you initiate the process of revocation and when an existing user delegation SAS becomes invalid.
+
 ## Next steps
 
 - [Create a user delegation SAS (REST API)](/rest/api/storageservices/create-user-delegation-sas)
