Added final example

msmbaldwin · msmbaldwin · commit 59a8196b8e30 · 2019-09-20T18:43:43.000-07:00
diff --git a/articles/key-vault/key-vault-overview-storage-keys-powershell.md b/articles/key-vault/key-vault-overview-storage-keys-powershell.md
@@ -188,7 +188,8 @@ The commands in this section complete the following actions:
 - Set an account shared access signature definition. 
 - Create an account shared access signature token for Blob, File, Table, and Queue services. The token is created for resource types Service, Container, and Object. The token is created with all permissions, over https, and with the specified start and end dates.
 - Set a Key Vault managed storage shared access signature definition in the vault. The definition has the template URI of the shared access signature token that was created. The definition has the shared access signature type `account` and is valid for N days.
-
+- Verify that the shared access signature was saved in your key vault as a secret.
+- 
 ### Set variables
 
 First, set the variables to be used by the PowerShell cmdlets in the following steps. Be sure to update the <YourStorageAccountName> and <YourKeyVaultName> placeholders.
@@ -222,10 +223,40 @@ The value of $sasToken will look similar to this.
 
 Use the the Azure PowerShell [Set-AzKeyVaultManagedStorageSasDefinition](/powershell/module/az.keyvault/set-azkeyvaultmanagedstoragesasdefinition?view=azps-2.6.0) cmdlet to create a shared access signature definition.  You can provide the name of your choice to the `-Name` parameter.
 
-```azurecli-interactive
-Set-AzKeyVaultManagedStorageSasDefinition -AccountName $storageAccountName -VaultName $keyVaultName -Name accountsas -TemplateUri $sasToken -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(30))
+```azurepowershell-interactive
+Set-AzKeyVaultManagedStorageSasDefinition -AccountName $storageAccountName -VaultName $keyVaultName -Name <YourSASDefinitionName> -TemplateUri $sasToken -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(30))
+```
+
+### Verify the shared access signature definition
+
+You can verify that the shared access signature definition has been stored in your key vault using the Azure PowerShell [Get-AzKeyVaultSecret](/powershell/module/az.keyvault/get-azkeyvaultsecret?view=azps-2.6.0) cmdlet.
+
+First, find the shared access signature definition in your key vault.
+
+```azurepowershell-interactive
+Get-AzKeyVaultSecret -vault-name <YourKeyVaultName>
+```
+
+The secret corresponding to your SAS definition will have these properties:
+
+```console
+Vault Name   : <YourKeyVaultName>
+Name         : <SecretName>
+...
+Content Type : application/vnd.ms-sastoken-storage
+Tags         :
 ```
 
+You can now use the [Get-AzKeyVaultSecret](/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-show) cmdlet and the secret `Name` property to view the content of that secret.
+
+```azurepowershell-interactive
+$secret = Get-AzKeyVaultSecret -VaultName <YourKeyVaultName> -Name <SecretName>
+
+Write-Host $secret.SecretValueText
+```
+
+The output of this command will show your SAS definition string.
+
 
 ## Next steps
 
diff --git a/articles/key-vault/key-vault-ovw-storage-keys.md b/articles/key-vault/key-vault-ovw-storage-keys.md
@@ -94,6 +94,7 @@ The commands in this section complete the following actions:
 - Set an account shared access signature definition `<YourSASDefinitionName>`. The definition is set on a Key Vault managed storage account `<YourStorageAccountName>` in your key vault `<YourKeyVaultName>`.
 - Create an account shared access signature token for Blob, File, Table, and Queue services. The token is created for resource types Service, Container, and Object. The token is created with all permissions, over https, and with the specified start and end dates.
 - Set a Key Vault managed storage shared access signature definition in the vault. The definition has the template URI of the shared access signature token that was created. The definition has the shared access signature type `account` and is valid for N days.
+- Verify that the shared access signature was saved in your key vault as a secret.
 
 ### Create a shared access signature token
 
@@ -119,6 +120,32 @@ Use the the Azure CLI [az keyvault storage sas-definition create](/cli/azure/key
 az keyvault storage sas-definition create --vault-name <YourKeyVaultName> --account-name <YourStorageAccountName> -n <YourSASDefinitionName> --validity-period P2D --sas-type account --template-uri <OutputOfSasTokenCreationStep>
 ```
 
+### Verify the shared access signature definition
+
+You can verify that the shared access signature definition has been stored in your key vault using the Azure CLI [az keyvault secret list](/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-list) and [az keyvault secret show](/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-show) commands.
+
+First, find the shared access signature definition in your key vault using the [az keyvault secret list](/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-list) command.
+
+```azurecli-interactive
+az keyvault secret list --vault-name <YourKeyVaultName>
+```
+
+The secret corresponding to your SAS definition will have these properties:
+
+```console
+    "contentType": "application/vnd.ms-sastoken-storage",
+    "id": "https://<YourKeyVaultName>.vault.azure.net/secrets/<YourStorageAccountName>-<YourSASDefinitionName>",
+```
+
+You can now use the [az keyvault secret show](/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-show) command and the `id` property to view the content of that secret.
+
+```azurecli-interactive
+az keyvault secret show --vault-name <YourKeyVaultName> --id <SasDefinitionID>
+```
+
+The output of this command will show your SAS definition string as`value`.
+
+
 ## Next steps
 
 - Learn more about [keys, secrets, and certificates](https://docs.microsoft.com/rest/api/keyvault/).
diff --git a/articles/key-vault/storage-keys-sas-tokens-code.md b/articles/key-vault/storage-keys-sas-tokens-code.md
@@ -12,24 +12,16 @@ ms.date: 09/10/2019
 ---
 # Fetch shared access signature tokens in code
 
-Execute operations on your storage account by fetching [shared access signature tokens](../storage/common/storage-dotnet-shared-access-signature-part-1.md) from Key Vault. 
+You can manage your storage account with the [shared access signature tokens](../storage/common/storage-dotnet-shared-access-signature-part-1.md) in your key vault. This article provides examples of C# code that fetches a SAS token and performs operations with it.  For information on how to create and store SAS tokens, see [Manage storage account keys with Key Vault and the Azure CLI](key-vault-ovw-storage-keys) or [Manage storage account keys with Key Vault and Azure PowerShell](key-vault-overview-storage-keys-powershell.md).
 
-There are three ways to authenticate to Key Vault:
-
-- Use a managed service identity. This approach is highly recommended.
-- Use a service principal and certificate. 
-- Use a service principal and password. This approach isn't recommended.
-
-For more information, see [Azure Key Vault: Basic concepts](basic-concepts.md).
-
-The following example demonstrates how to fetch shared access signature tokens. You fetch the tokens after you create a shared access signature definition. 
+In this example, the code fetches a SAS token from your key vault, uses it to create a new storage account, and creates a new Blob service client.  
 
 ```cs
 // After you get a security token, create KeyVaultClient with vault credentials.
 var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(securityToken));
 
 // Get a shared access signature token for your storage from Key Vault.
-// The format for SecretUri is https://<VaultName>.vault.azure.net/secrets/<ExamplePassword>
+// The format for SecretUri is https://<YourKeyVaultName>.vault.azure.net/secrets/<ExamplePassword>
 var sasToken = await kv.GetSecretAsync("SecretUri");
 
 // Create new storage credentials by using the shared access signature token.
@@ -41,7 +33,7 @@ var accountWithSas = new CloudStorageAccount(accountSasCredential, new Uri ("htt
 var blobClientWithSas = accountWithSas.CreateCloudBlobClient();
 ```
 
-If your shared access signature token is about to expire, fetch the shared access signature token again from Key Vault and update the code.
+If your shared access signature token is about to expire, you can fetch the shared access signature token from your key vault and update the code.
 
 ```cs
 // If your shared access signature token is about to expire,
@@ -52,7 +44,7 @@ accountSasCredential.UpdateSASToken(sasToken);
 
 
 ## Next steps
-
-- [Managed storage account key samples](https://github.com/Azure-Samples?utf8=%E2%9C%93&q=key+vault+storage&type=&language=)
+- Learn how to [Manage storage account keys with Key Vault and the Azure CLI](key-vault-ovw-storage-keys) or [Azure PowerShell](key-vault-overview-storage-keys-powershell.md).
+- See [Managed storage account key samples](https://github.com/Azure-Samples?utf8=%E2%9C%93&q=key+vault+storage&type=&language=)
 - [About keys, secrets, and certificates](about-keys-secrets-and-certificates.md)
 - [Key Vault PowerShell reference](/powershell/module/az.keyvault/?view=azps-1.2.0#key_vault)
