Undeleting a Soft Deleted Blob in Azure Storage Using a REST API call from PowerShell

Question

I am trying to create a script to retrieve blobs for a given customer number from a storage account in Azure. All blobs reside in a single container, with 'actioned' blobs being soft deleted. I can use PowerShell to display the relevant blobs, including their 'IsDeleted' status, but I understand that PowerShell doesn't have the necessary command to undelete blobs and so I'm trying to make a REST API call from the PowerShell script.

I do an inital login to the Azure platform and set a variable for an SAS token (which includes the necessary permissions to undelete):

$username = "<myUserName>"
$encryptedPwd = Get-Content <path\securepassword.txt> | ConvertTo-SecureString
$cred = New-Object System.Management.Automation.PsCredential($username, $encryptedPwd)

$strgaccname = "<myStorageAccount>"
$strgcontainer = "<myContainer>"
#SAS Token
$sastkn = "<mySAStoken>"

#Set StorageContext
$ctx = New-AzStorageContext -StorageAccountName $strgaccname -SasToken $sastkn

$subId = "mySubscriptionID"

Connect-AzAccount -Credential $cred -Subscription $subID

I can list all matching blobs with the following PowerShell:

$searchstring = '*'+<myCustomerNumber>+'*'
Get-AzStorageBlob -Blob $searchstring -Context $ctx -Container $strgcontainer -IncludeDeleted `
    | Select-Object Name, Length, LastModified, IsDeleted `
    | Sort-Object LastModified -Descending

I am unsure how to proceed with the REST API call. Looking at some other people's methods, I have something like the following, using a test blob that has been soft deleted:

$uri = "https://<myStorageAccount>.blob.core.windows.net/<myContainer>/<myTestBlob>?comp=undelete"
$headers = @{
    'Authorization' = "Bearer <accessToken>";
    'x-ms-date' = $((get-date -format r).ToString());
    'x-ms-version' = "2020-12-06";
}
Invoke-RestMethod -Method 'Put' -Uri $uri -Headers $headers

However, I don't know how to create the Bearer Access Token that is mentioned.

Answer 1

We have done a repro in our local environment & it is working fine, Below statements are based on our analysis.

You can use the below Powershell script which will help you in restoring the soft-deleted blobs in your storage account.

Here is the Powershell Script:

Connect-AzAccount

#Get all deleted blob within a container
$StorageAccount = Get-AzStorageAccount | Where-Object { $_.StorageAccountName -eq "<storageAccountName>" }
$Blobs = Get-AzStorageContainer -Name "<ContainerName>" -Context $StorageAccount.Context | Get-AzStorageBlob -IncludeDeleted
$DeletedBlobs=$($Blobs| Where-Object {$_.IsDeleted -eq $true})
 

 #Get your Bearer access token

 $resource = “https://storage.azure.com"
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$accessToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $resource).AccessToken

#Restore
foreach ($DeletedBlob in $DeletedBlobs) {
    Write-Host "Restoring : $($DeletedBlob.Name)"
    $uri = "$($DeletedBlob.BlobBaseClient.Uri.AbsoluteUri)?comp=undelete"
    $headers = @{
        'Authorization' = "Bearer $accessToken";
        'x-ms-date'     = $((get-date -format r).ToString());
        'x-ms-version'  = "2020-12-06";
    }
    Invoke-RestMethod -Method 'Put' -Uri $uri -Headers $headers
    }

Here is the Sample output for your reference:

Note:

In order to perform the restoration of soft-deleted blob , you need to have a Storage Blob Data Contributor RBAC role on the Storage Account.