Reputation: 57326
Restricting access to storage account containing package blob for cloud service (extended support) deployment
I'm nearly done migrating our cloud service (classic) deployments to cloud service (extended support). I'm working now on updating deployment pipelines. My package blob is located in a storage account. I create a SAS for the blob and use an API call to management.azure.com to create/update the deployment, passing ARM template as the body of the request.
This works correctly as long as the storage account with the package blob has its network set to "allow access from all networks". I want to restrict this access. I set the allow access from:
- specific IP addresses of our devops servers
- our own IP addresses
- private vnet/subnets for the cloud service
I also tick the "Allow Azure services on the trusted services list to access this storage account" checkbox.
Yet, API call fails with error message indicating access is not allowed to the blob. When I change the storage account network configuration to "allow access from all networks", everything works correctly.
With lots of searches, I found only one hit explaining the same problem - https://github.com/Azure/azure-powershell/issues/20299 - yet no solution has been suggested other than allowing access from all networks.
I must be missing some trick - but what is it? How can I restrict access to the storage account?
Upvotes: 0
Views: 174
Answers (1)
Reputation: 41
In order to resolve your issue, I believe you'll need to generate a SaS token and then append it to your packageUrl as a query parameter so
packageUrl + "?" + sasToken
In order to generate a sas token, you can use the azure CLI in your deployment process. I have used something like this:
# Generate the SaS token for use in the ARM Template
$tokenExpiry = (Get-Date).AddMinutes(15).ToUniversalTime().ToString("yyyy-MM-ddTHH:mmZ");
$sas = az storage account generate-sas --account-name $account --expiry $tokenExpiry --https-only --permissions crlw --resource-types cso --services b
I found this link really useful: https://adamtheautomator.com/azure-sas-token/#:~:text=Generating%20a%20SAS%20Token%20using%20PowerShell,-To%20prevent%20having&text=PowerShell%20uses%20Azure's%20REST%20API,you'd%20like%20to%20access.
I hope this helps, I'm still struggling with trying to get a parameterised VMSize in my CSDEF during deployment but other than that I'm basically up and running.
Upvotes: 0
Related Questions
- My divs with class aren't working to style my doc. But input and labels are. What am i missing?
- Div elements not being displayed where expected
- How to use div class style elements in node.style?
- How to show divs with specific class
- CSS class is not applying to div
- Error with DIV Classes
- How do I get div class styles to work?
- CSS div class not recognized
- Divs are not aligining
- div wont apply class