https://pulumi.com logo
#azure
Title
# azure
d

damp-honey-93158

05/05/2022, 3:05 PM
Does anyone have some ideas/samples of how I can create a storage account policy and off that a SAS token - allowing the rest of my build pipeline to use that as a connection string? End goal: don't expose the account keys, make it possible for the build pipeline to publish a nuget package (via sleet - which uses a connection string).
c

clean-truck-93285

05/05/2022, 9:14 PM
No examples, but ARM does not expose an API to make a stored access policy with IaC. Could look into adding a PowerShell task to your pipeline to generate the stored access policy. https://docs.microsoft.com/en-us/powershell/module/az.storage/new-azstoragecontainerstoredaccesspolicy?view=azps-7.5.0
d

damp-honey-93158

05/06/2022, 8:46 AM
That is valuable info, now it makes sense why I can't find the API calls 🙂 I'll take a look at your advice or just script the whole part - its a bootstrapping phase anyway so won't happen often (still don't like the taste but I don't have all day either). Thank you!
c

clean-truck-93285

05/06/2022, 12:20 PM
I spend more time reading the ARM documentation than on Pulumi registry. I also might be wrong, I looked at the blob service ARM yesterday. Not sure what the sasPolicy on the main storage account is. That might get you what you looking for. https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep
d

damp-honey-93158

05/07/2022, 8:36 AM
instead I spent the day fighting with Azure - in terms of how to get a service principal to be created, such that it can be used by the rest of the pulumi service + pipeline for keyvault and resource creation and RBAC. Boy it was frustrating.
I might have it now though - next week will tell.
thank you for your answers and help!
7 Views