Can you access a linked arm template on private blob using listkeys?

0
votes

Is there a way to access the linked template on a private blob storage using 'listkeys'. That way I don't need to generate a SAS token each time I deploy. Something along the lines of:

"Concat('DefaultEndpointsProtocol=https;AccountName=',variables('StorageAccountName'),';AccountKey=',listKeys(resourceId('otherResourceGroup', 'Microsoft.Storage/storageAccounts', variables('StorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value)]"

To go in:

"parameters": {
    "sasToken": { "type": "securestring" }
},
"resources": [
    {
        "apiVersion": "2017-05-10",
        "name": "linkedTemplate",
        "type": "Microsoft.Resources/deployments",
        "properties": {
          "mode": "incremental",
          "templateLink": {
            "uri": "[concat('https://storagecontosotemplates.blob.core.windows.net/templates/helloworld.json', parameters('sasToken'))]",
            "contentVersion": "1.0.0.0"
          }
        }
    }
],

MS document doesn't mention it, but it would be easy to deploy without having to generate a token.

In response to Tom as to why I can't use the keyVault, because it still requires it to be input. Here is the code for the token which needs to be inside parameters:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "adminUsername": {
      "value": "cmdbAdmin"
    },
    "adminPassword": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/c8727b53-932a-4f48-9fa1-00765c554992/resourceGroups/AnsibleTest1/providers/Microsoft.KeyVault/vaults/ansibletest"
        },
        "secretName": "adminPassword"
      }
    },

...and it appears like this in Azure templates. As you can see, you will still need to put in some credentials :(

Azure Templates

1
azuretemplatesazure-resource-managerarm-template
To answer your direct question, "no". Can you expand on the scenario a bit more? Some things that came to mind are 1) do it need to be nested 2) does it need to be secure 3) how many customers need to be able to deploy this way (make KeyVault management more difficult) etc.bmoore-msft

1 Answers

0
votes

it would be easy to deploy without having to generate a token 

  "Concat('DefaultEndpointsProtocol=https;AccountName=',variables('StorageAccountName'),';AccountKey=',listKeys(resourceId('otherResourceGroup', 'Microsoft.Storage/storageAccounts', variables('StorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value)]"

The code you mentioned that is get the conection string from the storage account. Azure storage supplies the primary and secondary keys, so we could use the list key API to get the account keys. But for SAS token we need to generate it, we need to supply start time ,expiry Time, access permission etc. Based on my experience, there is no the same way as listkey to generated sas token.

That way I don't need to generate a SAS token each time I deplo

But we could store the SAS token in Key Vault, then we could get the value dynamically in the ARM template. Detail info we could refer to this blog. 

 {
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {

    "sasToken": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/{subscriptionId}/resourceGroups/{resource group name}/providers/Microsoft.KeyVault/vaults/MyUniqueKeyVaultName"
        },
        "secretName": "secretName"
      }
    }
  }

}