How retrieve the storage account connection string from seperate resource group

0
votes

I have two resource group running in one subscription and inside the subscription I have two resource group for example: RG1 and RG2. RG1 contains a storage account whereas RG2 contains a web app.I have used an arm template to create the resources. Inside the app-settings in the RG2 web app,I have to manually pass the storage accounts' connection string from RG1. Is there any way to fetch the connection string dynamically using arm script,in this case?

1
azureazure-storageazure-web-app-serviceazure-resource-managerazureportal

1 Answers

1
votes

Have you looked at using MSI authentication for your Web App. If you are deploying ARM add this to the Web App 

 "identity": {
"type": "SystemAssigned"
},

This will create a Managed Service Identity which will eliminage the need to even managed the connection string. After the App has an MSI then in the Storage account grant the MSI an RBAC role to the storage account by looking up the associated Role ID and configuring your ARM template to include the RBAC assignment.

Personally I tend to store my roles as json objects variables since the IDs are the same across all subscriptions. It makes them easier to assign to specific object or MSI IDs.

"Contributor": {
 "RoleID": "[concat(variables('roleDefinition'), 'b24988ac-6180-42a0-ab88 20f7382dd24c')]",
  "RoleName": "Contributor"
},

That way when doing the assignment it would look like:

{
  "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
  "apiVersion": "2018-09-01-preview",
  "name": "[concat(variables('storageName'), '/Microsoft.Authorization/',  guid(uniqueString(variables('storageName'),variables('Reader').RoleName,parameters('principalId'))))]",
  "dependsOn": [
    "[variables('storageName')]"
  ],
  "properties": {
    "roleDefinitionId": "[variables('Contributor').RoleID]",
    "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('webSiteName')), '2018-02-01', 'Full').identity.principalId]"
  }
}

You may need to tweak since the storage account and Web App are in different resource groups but hopefully this gets you started.

If you aren't comfortable with the MSI piece or unable to other options would be to store the secret for the connection in KeyVault and have your Web App call that to get the secret.