ghost
commented
1 year ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/deployments-owners.
Issue Details
### Description The New-AzResourceGroupDeployment command doesn't work when deploying a template from an Azure storage account with Public network access disabled. **Following the below from the New-AzResourceGroupDeployment examples** Example 4: Deploy a template stored in a non public storage account using a uri and SAS token PowerShell New-AzResourceGroupDeployment -ResourceGroupName "RGName" -TemplateUri "https://example.com/example.json" -QueryString "foo" This command creates a new deployment using the template in TemplateUri which is not public and requires a token parameter to access which would be provided using the QueryString parameter. Running this command effectively accesses the template using the url https://example.com/example.json?foo. This can be used if you want to use a template in a storage account by providing the SAS token as the QueryString **Our Command** New-AzResourceGroupDeployment -ResourceGroupName $ResourceGroupName -TemplateURI "https://storageaccountURL/folder/xxxx.json" ` -TemplateParameterObject $Params ` -Name ("create-xxxxx" + '-' + ((Get-Date).ToUniversalTime()).ToString('MMdd-HHmm')) ` -QueryString "SAS Token" **Error** New-AzResourceGroupDeployment -ResourceGroupName $ResourceGroupNa … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 18:05:59 - Error: Code=InvalidContentLink; Message=Unable to download | deployment content from | 'https://storageaccountURL/folder/xxxx.json?SAS token Note, I can access the storage account successfully using a browser and providing the SAS token. Your assistance would be appreciated. If this should be doable, I'll gather the debug and error output. Thanks. ### Script or Debug output _No response_ ### Environment data ```PowerShell $PSVersionTable Name Value ---- ----- PSVersion 7.3.0 PSEdition Core GitCommitId 7.3.0 OS Microsoft Windows 10.0.19044 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0 ``` ### Module versions ```PowerShell Get-Module Az* ModuleType Version PreRelease Name ExportedCommands ---------- ------- ---------- ---- ---------------- Script 2.12.3 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…} Script 4.10.0 Az.KeyVault {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount…} Script 6.7.0 Az.Resources {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…} Script 5.7.0 Az.Storage {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyAction, Add-AzStorageAccountNetworkRule, Close-AzStorageFileHan… ``` ### Error output _No response_
| Author: | vlo001 |
|---|---|
| Assignees: | - |
| Labels: | `Service Attention`, `question`, `ARM - Templates`, `customer-reported` |
| Milestone: | - |
Description
The New-AzResourceGroupDeployment command doesn't work when deploying a template from an Azure storage account with Public network access disabled.
Following the below from the New-AzResourceGroupDeployment examples
Example 4: Deploy a template stored in a non public storage account using a uri and SAS token PowerShell
New-AzResourceGroupDeployment -ResourceGroupName "RGName" -TemplateUri "https://example.com/example.json" -QueryString "foo" This command creates a new deployment using the template in TemplateUri which is not public and requires a token parameter to access which would be provided using the QueryString parameter. Running this command effectively accesses the template using the url https://example.com/example.json?foo. This can be used if you want to use a template in a storage account by providing the SAS token as the QueryString
Our Command New-AzResourceGroupDeployment -ResourceGroupName $ResourceGroupName -TemplateURI "https://storageaccountURL/folder/xxxx.json"
-TemplateParameterObject $Params-Name ("create-xxxxx" + '-' + ((Get-Date).ToUniversalTime()).ToString('MMdd-HHmm')) ` -QueryString "SAS Token"Error New-AzResourceGroupDeployment -ResourceGroupName $ResourceGroupNa … |
~~~~~~~~~~~~~| 18:05:59 - Error: Code=InvalidContentLink; Message=Unable to download | deployment content from | 'https://storageaccountURL/folder/xxxx.json?SAS tokenNote, I can access the storage account successfully using a browser and providing the SAS token.
Your assistance would be appreciated. If this should be doable, I'll gather the debug and error output.
Thanks.
Script or Debug output
No response
Environment data
Module versions
Error output
No response