search

CompositionalIT / farmer

Repeatable Azure deployments with ARM templates - made easy!
https://compositionalit.github.io/farmer
MIT License
523 stars 157 forks source link

[Feature Request] Azure Storage SAS Tokens with ARM Templates #599

Open ma3yta opened 3 years ago

ma3yta commented 3 years ago

Articles about the subject

Example:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string",
      "defaultValue": "[uniqueString(subscription().subscriptionId, resourceGroup().name)]"
    },
    "containerName": {
      "type": "string",
      "defaultValue": "images"
    }
  },
  "variables": {
    "serviceSasFunctionValues": {
      "canonicalizedResource": "[concat('/blob/', parameters('storageAccountName'), '/', parameters('containerName'))]",
      "signedResource": "c",
      "signedPermission": "r",
      "signedExpiry": "2050-01-01T00:00:00Z"
    }
  },
  "resources": [
    {
      "apiVersion": "2018-02-01",
      "name": "[parameters('storageAccountName')]",
      "location": "[resourceGroup().location]",
      "type": "Microsoft.Storage/storageAccounts",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "StorageV2",
      "properties": {
        "supportsHttpsTrafficOnly": true,
        "accessTier": "Hot",
        "encryption": {
          "services": {
            "blob": {
              "enabled": true
            },
            "file": {
              "enabled": true
            }
          },
          "keySource": "Microsoft.Storage"
        }
      },
      "resources": [
        {
          "name": "[concat('default/', parameters('containerName'))]",
          "type": "blobServices/containers",
          "apiVersion": "2018-03-01-preview",
          "dependsOn": [
            "[parameters('storageAccountName')]"
          ]
        }
      ]
    }
  ],
  "outputs": {
    "serviceSas": {
      "type": "string",
      "value": "[listServiceSas(parameters('storageAccountName'), '2018-02-01', variables('serviceSasFunctionValues')).serviceSasToken]"
    }
  }
}
isaacabraham commented 3 years ago

@Ma3yTa is this then using ARM as a way to generate SAS tokens?

ma3yta commented 3 years ago

@isaacabraham yes. we can submit a variable in the ARM template as follows:

"variables": {
    "serviceSasFunctionValues": {
      "canonicalizedResource": "[concat('/blob/', parameters('storageAccountName'), '/', parameters('containerName'))]",
      "signedResource": "c",
      "signedPermission": "rwac",
      "signedExpiry": "2050-01-01T00:00:00Z"
    }
  }

and use an expression to get the SAS token in the output:

"outputs": {
    "serviceSas": {
      "type": "string",
      "value": "[listServiceSas(parameters('storageAccountName'), '2018-02-01', variables('serviceSasFunctionValues')).serviceSasToken]"
    }
  }

output result:

"outputs": {
      "serviceSas": {
        "type": "String",
        "value": "sv=2015-04-05&sr=c&se=2050-01-01T00%3A00%3A00.0000000Z&sp=r&sig=Eq%2BJlx6le6SrFKEEd8s73OyS1Ur39pzXZRn6GJ1p6fM%3D"
      }
    }