Reputation: 11118
Azure Resource Manager cannot download template
For testing purposes we have PS script to deploy our ARM templates to testing Resource Group.
$ctx = New-AzStorageContext -StorageAccountName $storageAccountName -UseConnectedAccount
$sasToken = New-AzStorageContainerSASToken -Context $ctx -Name $containerName -Permission r -ExpiryTime (Get-Date).AddHours(1)
$toDeploy = "app1", "app2"
foreach ($template in $toDeploy) {
$templateUri = "${containerUrl}/${template}.json${sasToken}"
$templateParameterUri = "${containerUrl}/${template}.parameters.Integration.json${sasToken}"
$templatePostUri = "${containerUrl}/${template}.Post.json${sasToken}"
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroup `
-TemplateUri $templateUri `
-TemplateParameterUri $templateParameterUri `
-Mode Incremental `
-DeploymentDebugLogLevel All `
-Name "TestDeployment" `
-Verbose
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroup `
-TemplateUri $templatePostUri `
-Mode Incremental `
-DeploymentDebugLogLevel All `
-Name "TestDeploymentPost" `
-Verbose
It works for 2 out of 3 developers. When one of us is executing this an error is displayed saying that link to template is invalid. ARM cannot download it.
Error: Code=InvalidContentLink; Message=Unable to download deployment content from
| 'https://ourstorage.blob.core.windows.net/user-testing/app1.json?SAS_TOKEN_HERE'. The tracking Id is '386e7670-1863-4c85-9484-8a27d2dd0760'.
But when we copy it to browser we can download it. All 3 of us. For some reason only ARM cannot download it. When storage account is configured with public access and we remove SAS token from links it works from this dev's machine. So looks like some issue with SAS token generation from one machine. But why is this SAS token ok for us (3 devs) but invalid for ARM?
Upvotes: 0
Views: 1324
Answers (2)
Reputation: 11118
So the problem was clock drift. I tried it from one more machine and received same erro, but this time I couldn't even download template using browser. But it gave me error message - SAS token was not valid. It's start time was in future according to ARM.
Solution was to add -StartTime (Get-Date).AddMinutes(-2)
Looks like on this machine clock was more off so I could spot the problem in browser (token more in future). With other PC when we were pasting the link to template into the browser token was already good so it looked like it was wrong only for ARM.
Upvotes: 1
Reputation: 2908
Check the firewall setting on the storage account. It will need to allow access from All networks. I've seen the exact same situation and error messages because our developers could access by allowed IP but ARM could not. Until Microsoft enables storage accounts for 'Azure Resource Manager for template deployment', like the Key Vaults, the ARM will not be able to access the storage content behind a firewall, even with SAS token.
Though the following quote is about linked ARM templates, it still applies to deploying by URI. "Currently, you can't link to a template in a storage account that is behind an Azure Storage firewall." -- Source: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/linked-templates#securing-an-external-template
Issue discussion on GitHub: https://github.com/MicrosoftDocs/azure-docs/issues/37309
Upvotes: 2
Related Questions
- The resource is not defined in the template
- Simple ARM template not working in Azure Cli
- Azure ARM template not defined?
- ARM on Azure DevOps: Could not find any file matching the template file pattern
- Azure Resource Manager (ARM) Template parameter undefined
- Errors when Deploying ARM Template
- Azure ARM Template dependsOn: Resource Not Defined in Template
- InvalidResourceReference when deploying ARM template for VM
- Azure ARM Template "Cannot find hostingEnvironment with name
- Download Azure Resource Template