CODEWITHSUNDEEP
azureazure-storageazure-resource-managerazure-rm-templateazure-cli
Jan_V
Jan_V

Reputation: 4406

Getting a SAS token for blob storage container doing an ARM deployment with Linked Templates

What I'm trying to do is deploying an ARM template using the Azure CLI on my local system, because I want to try out my changes local first, before pushing it to the repository.

We're using Linked Templates, which means I have to specify a URL where the linked templates are located and a SAS token in order to get access to these files.

The script I'm trying to execute looks like the following

az group deployment create --resource-group myResourceGroupName `
            --template-file azuredeploy.json `
            --parameters azuredeploy.d.parameters.json `
            --parameters local.parameters.json

The azuredeploy.json file contains the main template with the references to the other, linked, templates. The azuredeploy.d.parameters.json file contains all of the regular environment parameters (like pricing tier, etc.). The local.parameters.json contains 2 parameters called deploymentContainerSasToken and deploymentContainerUri (the SAS token and the location of the linked templates).

What I'm doing to create the SAS token is the following.

$end=date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'
$start=date '+%Y-%m-%dT00:00Z'

az storage container generate-sas `
            --account-name "mydeploymentfiles" `
            --account-key "[thePrimaryKey]" `
            --name "the/subfolder/buildversion.1+52/templates" `
            --start $start `
            --expiry $end `
            --permissions lr `
            --output tsv

This outputs a nice SAS token I can use.

st=2019-11-18T00%3A00Z&se=2019-11-18T14%3A30Z&sp=rl&sv=2018-03-28&sr=c&sig=aZn3cx%2BNCnN2YhXD9%2AeTJa6TQL/pUIpbsbP4HKtFN/4%3D

When running the deployment via Azure CLI I get the message the linked templates (the/subfolder/buildversion.1+52/templates/function-app.json, the/subfolder/buildversion.1+52/templates/storage.json) can't be reached.

So I've tried downloading them from the browser, with the generated SAS token and got the following.

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>AuthenticationFailed</Code>
    <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly
        including the signature.
        RequestId:2c0412dc-201e-0038-6b97-9e01ef000000
        Time:2019-11-19T05:11:12.2088927Z</Message>
    <AuthenticationErrorDetail>Signature not valid in the specified time frame: Start [Mon, 18 Nov 2019 00:00:00 GMT] -
        Expiry [Mon, 18 Nov 2019 14:30:00 GMT] - Current [Tue, 19 Nov 2019 05:11:12 GMT]</AuthenticationErrorDetail>
</Error>

I think this has something to do because I'm creating a SAS token for the container the files are in, but with the List and Read permission I should have access to it, right?

The release pipeline is working fine, I'm using the Azure Blob file copy over there in order to set the appropriate parameters.

Release pipeline steps

I'm a bit lost at this point.

What is the proper way to get a working SAS token to use for linked templates when running from the local system, where the linked templates reside in some sub-container.

Upvotes: 0

Views: 3316

Answers (1)

Jim Xu
Jim Xu

Reputation: 23111

According to the information you provide, you want to generate SAS token for a folder in Azure Blob storage container. It is impossible. Because Azure blob storage does not have the 'Folder' concept. For more details, please refer to the document and the article. enter image description here

So please generate SAS token for the container which contains blobs you need to access or for every blob you want to access. For example

#generate sas token for container
az storage container generate-sas `
            --account-name "<you account name>" `
            --account-key "<your account key>" `
            --name "<your container name>" `
            --start $start `
            --expiry $end `
            --permissions lr `
            --output tsv
# generate sas token for one blob
az storage container generate-sas `
            --account-name "<you account name>" `
            --account-key "<your account key>" `
            --name "<your Blob name>" `
            --container-name "<your container name>" `
            --start $start `
            --expiry $end `
            --permissions r `
            --output tsv

Upvotes: 2

Related Questions