4
votes

I use the following example to generate SAS and configure App Service to send https and application logs to the blob.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "storageAccountName": {
            "type": "string",
            "defaultValue": "[concat('storage', uniqueString(resourceGroup().id))]",
            "metadata": {
                "description": "The name of Storage Account."
            }
        },
        "blobContainerName": {
            "type": "string",
            "defaultValue": "[concat(parameters('webAppName'), '-logs')]",
            "metadata": {
                "description": "The name of Blob Container to store diagnostics logs from Web App."
            }
        },
        "storageAccountSkuName": {
            "type": "string",
            "defaultValue": "Standard_LRS",
            "metadata": {
                "description": "The name of the App Service Plan."
            }
        },
        "storageAccountKind": {
            "type": "string",
            "defaultValue": "StorageV2",
            "metadata": {
                "description": "The name of the Storage Account Type."
            }
        },
        "appServicePlanName": {
            "type": "string",
            "defaultValue": "[concat('appServicePlan', '-', uniqueString(resourceGroup().id))]",
            "metadata": {
                "description": "The name of the App Service Plan."
            }
        },
        "appServicePlanSkuName": {
            "type": "string",
            "defaultValue": "F1",
            "metadata": {
                "description": "The SKU name of the App Serivce Plan."
            }
        },
        "webAppName": {
            "type": "string",
            "defaultValue": "[concat('webApp', '-', uniqueString(resourceGroup().id))]",
            "metadata": {
                "description": "The name of the Web App."
            }
        },
        "diagnosticsLogsLevel": {
            "type": "string",
            "defaultValue": "Verbose",
            "allowedValues": [
                "Verbose",
                "Information",
                "Warning",
                "Error"
            ],
            "metadata": {
                "description": "The degree of severity for diagnostics logs."
            }
        },
        "diagnosticsLogsRetentionInDays": {
            "type": "int",
            "defaultValue": 10,
            "metadata": {
                "description": "Number of days for which the diagnostics logs will be retained."
            }
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "Location for all resources."
            }
        }
    },
    "variables": {
        "blobContainerName": "[toLower(parameters('blobContainerName'))]",
        "listAccountSasRequestContent": {
            "signedServices": "bfqt",
            "signedPermission": "rwdlacup",
            "signedStart": "2018-10-01T00:00:00Z",
            "signedExpiry": "2218-10-30T00:00:00Z",
            "signedResourceTypes": "sco"
        }
    },
    "resources": [
        {
            "apiVersion": "2018-02-01",
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('storageAccountName')]",
            "location": "[parameters('location')]",
            "sku": {
                "name": "[parameters('storageAccountSkuName')]"
            },
            "kind": "[parameters('storageAccountKind')]",
            "resources": [
                {
                    "name": "[concat('default/', variables('blobContainerName'))]",
                    "type": "blobServices/containers",
                    "apiVersion": "2018-02-01",
                    "dependsOn": [
                        "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
                    ],
                    "properties": {
                        "publicAccess": "Blob"
                    }
                }
            ]
        },
        {
            "apiVersion": "2018-02-01",
            "type": "Microsoft.Web/serverfarms",
            "name": "[parameters('appServicePlanName')]",
            "location": "[parameters('location')]",
            "sku": {
                "Name": "[parameters('appServicePlanSkuName')]"
            }
        },
        {
            "apiVersion": "2018-02-01",
            "type": "Microsoft.Web/sites",
            "name": "[parameters('webAppName')]",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]",
                "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
            ],
            "properties": {
                "name": "[parameters('webAppName')]",
                "serverFarmId": "[concat('/subscriptions/', subscription().id,'/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]"
            },
            "resources": [
                {
                    "apiVersion": "2018-02-01",
                    "type": "config",
                    "name": "logs",
                    "dependsOn": [
                        "[concat('Microsoft.Web/sites/', parameters('webAppName'))]"
                    ],
                    "properties": {
                        "applicationLogs": {
                            "azureBlobStorage": {
                                "level": "[parameters('diagnosticsLogsLevel')]",
                                "sasUrl": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))).primaryEndpoints.blob, variables('blobContainerName'), '?', listAccountSas(parameters('storageAccountName'), '2018-02-01', variables('listAccountSasRequestContent')).accountSasToken)]",
                                "retentionInDays": "[parameters('diagnosticsLogsRetentionInDays')]"
                            }
                        }
                    }
                }
            ]
        }
    ]
}

When I tried to log stream one of my AppService deployed with this ARM template I saw following error message: Missing mandatory parameters for valid Shared Access Signature. listAccountSasRequestContent

https://xxxstorage.blob.core.windows.net/httplogs?sv=2015-04-05&ss=bfqt&srt=sco&sp=rwdlacup&st=2018-01-01T00:00:00.0000000Z&se=2118-01-01T00:00:00.0000000Z&sig=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

What can be the root cause of this error?

P.S If I generate SAS manually from Portal or Azure Storage Explorer I see that sv=2018-03-28, also SAS from Portal and Azure Storage Explorer have an sr=c parameter.

2
If my reply is helpful, please mark it as the answer(on the left of my reply, there is an option to mark), thanks.Joy Wang-MSFT

2 Answers

4
votes

An Azure Team engineer provided with working piece of code. See below.

 "variables": {
    "blobContainerName": "[toLower(parameters('blobContainerName'))]",
    "serviceSasProperties": {
        "canonicalizedResource": "[concat('/blob/', parameters('storageAccountName'),'/',parameters('blobContainerName'))]",
        "signedResource": "c",
        "signedPermission": "rwdl",
        "signedstart":"2017-08-20T11:00:00Z",
        "signedExpiry": "2020-08-20T11:00:00Z",
        "signedversion": "2015-04-05"
    }
},

"sasUrl": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net/',parameters('blobContainerName'),'?',listServiceSas(parameters('storageAccountName'), '2018-07-01', variables('serviceSasProperties')).serviceSasToken)]",
0
votes

It seems the SAS URI you provided is not correct, it mix the parameters of account SAS and service SAS. This part https://xxxstorage.blob.core.windows.net/httplogs looks should be a Service SAS URI, but it has the ss=bfqt and srt=sco parameters which belong to parameters for an account SAS token.

For more details, you could refer to these links.