azure - Azure VM Custom script extension identity access to Storage Account
问题描述
In the custom script extension of a VM I want to execute this command:
#download azcopy from http://aka.ms/downloadazcopy
c:\azcopy login --identity
C:\azcopy copy https://mystorage.blob.core.windows.net/software C:\Temp --recursive
But for this to work the identity of the VM need to be added as "Storage Blob Data Contributor". In terraform we could do it this way
resource"azurerm_role_assignment""role" {
scope= data.azurerm_storage_account.vault.id
role_definition_name="Storage Blob Data Contributor"
principal_id= azurerm_windows_virtual_machine.vm.identity.0.principal_id
}
But if we do not use terraform and instead use Azure DevOps and ARM templates, how would you execute it ? Because the VM is not created yet to give identity access. Custom script extension is part of the creation.
解决方案
You can enable a system-assigned managed identity using an Azure Resource Manager template. Reference here.
Step1
To enable system-assigned managed identity, locate the Microsoft.Compute/virtualMachines
resource of interest within the resources section and add the "identity"
property at the same level as the "type": "Microsoft.Compute/virtualMachines"
property. Use the following syntax:
"identity": {
"type": "SystemAssigned"
},
Step2
When you're done, the following sections should be added to the resource section of your template and it should resemble the following:
"resources": [
{
//other resource provider properties...
"apiVersion": "2018-06-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned",
},
},
//The following appears only if you provisioned the optional VM extension (to be deprecated)
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
"apiVersion": "2018-06-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"publisher": "Microsoft.ManagedIdentity",
"type": "ManagedIdentityExtensionForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"port": 50342
}
}
}
]
Step3
Grant it a role "Storage Blob Data Contributor" access to the resource group in which it was created.
Under the parameters section add the following:
"builtInRoleType": {
"type": "string",
"defaultValue": "StorageBlobDataContributor"
},
"rbacGuid": {
"type": "string"
}
Under the variables section add the following:
"StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"
Under the resources section add the following:
{
"apiVersion": "2017-09-01",
"type": "Microsoft.Authorization/roleAssignments",
"name": "[parameters('rbacGuid')]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]",
"scope": "[resourceGroup().id]"
},
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
]
}
Update
To grant the identity with an RBAC role to access a specific storage account. Refer to this answer.
{
"apiVersion": "2018-01-01-preview",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat(variables('storageAccountName'), '/Microsoft.Authorization/',parameters('rbacGuid'))]",
"properties": {
"roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
"principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines',parameters('vmName')), '2017-12-01', 'Full').identity.principalId]"
},
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
]
}
推荐阅读
- ios - 在 testflight 上从旧版本更新到新版本时应用程序崩溃
- sql - REGEXP_LIKE 和 oracle 中的通配符之间的区别
- android - 我想在单击复选框时更改图像
- r - 将列表的每个成员的每个元素与另一个列表的每个成员的每个元素进行比较
- typescript - 如何在 e2e 测试中测试包含异常过滤器的 websocket(网关)
- python - python sphinx 错误:make_toctree() 得到了一个意外的关键字参数“titles_only”
- angular - 来自选择下拉菜单的 Angular 表单合并数据
- node.js - 为什么推荐 Node.js 8 而不是 Node.js 10?
- r - 在 R 中使用优化。
- java - 创建 jpa 表后的 Flyway 迁移