Allow authenticating with Azure Blob Storage using a shared access signature (SAS)

[timrogers]

The CLI supports Azure Blob Storage as a blob storage provider.

When using this functionality, we upload the user's archives to Azure Blob Storage and then generate a short-lived URL (aka. SAS URL) pointing to that archive file which GitHu can use to access the file.

Azure authentication is configured in the CLI using the --azure-storage-connection-string argument or AZURE_STORAGE_CONNECTION_STRING environment variables.

Our implementation at the moment assumes that the Azure connection string contains an "account key". In the Azure Portal, this kind of connection string is generated on the "Access keys" page for the storage account in the Azure portal:

Using an account key is not necessarily the preferred approach for enterprises from a security perspective. Many would prefer to use a shared access signature (SAS) instead, which can also be embedded in a connection string.

In the Azure Portal, this kind of connection string is generated on the "Shared access signature" page at the storage account level or the "Shared access tokens" page at the storage container level:

We should add support for authenticating using a shared access signature (SAS). This allows an unlimited number of credentials to be created, enables credentials to expire and gives the customer the ability to implement least-privilege access (rather than credentials with full access).

I haven't investigated the implementation in detail, but it would definitely involve not generating our own SAS in our code.