- Create a storage account
- Grant your VM access to a storage account SAS in Resource Manager
- Get an access token using your VM’s identity, and use it to retrieve the SAS from Resource Manager
Vm is deployed with this script (good to test all ARM templates over and over again)
azure-arm-104/deploy_vm.ps1 at master · spawnmarvel/azure-arm-104 · GitHub
So the VM is ready
We deployed it in a secure extrenal vnet and subnet with its own security group on the subnet.
So this bypasses all rules that was deployed automatic in the NSG for VM, test-292-nsg
So to use RDP we must create a new rule in the securitygroup.
Get my ip:
What Is My IP? Quickly See My IP Address and My IP Location
Add only that ip is sourcre for RDP
Now we are in:
Enabling a system-assigned managed identity is a one-click experience. You can either enable it during the creation of a VM or in the properties of an existing VM.
Successfully registered ‘test-292-vmname’ with Azure Active Directory.
The Blob container in a storage account step is already ready, its is an old storage account.
We will just create a container for this test and name it testmaidentity. We keep all default settings and security.
Upload a local file helloworld.txt to the container
Now for the fun
Grant access
Navigate back to the storage account.
Select Access control (IAM).
Select Add > Add role assignment to open the Add role assignment page.
- Role Storage Blob Data Reader (later it was given contributor due to change tutorial))
- Assign access to Managed identity
- System-assigned Virtual Machine
- Select our vm
And we see our VM, now add it and review + create
test-292-vmname was added as Storage Blob Data Reader for testit3straccount.
Now lets use Powershell for accessing the container
For the step:
- Get an access token using your VM’s identity, and use it to retrieve the SAS from Resource Manager
(Be sure to install the Azure Storage cmdlets first, using Install-Module Azure.Storage if not present (it was present on win server 2019))
I meet a few errors:
Invoke-WebRequest : {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxx' with object id 'xxxx' does not have authorization to
perform action 'Microsoft.Storage/storageAccounts/listServiceSas/action' over scope
# You need to go to you subscription and grant objectid 'xxx' contributor permissions (easy way) or create a
# custom role (or figure predefined role) that meets your needs.
# This role was granted after I logged in from my machine after running connect first:
# Connect-AzAccount -TenantId the-tenant-id-number
New-AzRoleAssignment -ObjectId 'xxxx' -Scope '/subscriptions/xxx-findit-under-subscriptions-or-use-ps1-to-get-it' -RoleDefinitionName contributor
New error
Invoke-WebRequest : {"error":{"code":"InvalidValuesForRequestParameters","message":"Values for request parameters are invalid: signedExpiry."}}
# Well that is not strange:
signedExpiry="2017-09-23T00:00:00Z"}
# Set a valid date
signedExpiry="2022-08-14T00:00:00Z"}
Powershell result
Blob(s) uploaded in Azure
Final script
azure-arm-104/upload_file.ps1 at master · spawnmarvel/azure-arm-104 · GitHub