Thread
#azure
    d

    damp-honey-93158

    4 months ago
    Does anyone have some ideas/samples of how I can create a storage account policy and off that a SAS token - allowing the rest of my build pipeline to use that as a connection string? End goal: don't expose the account keys, make it possible for the build pipeline to publish a nuget package (via sleet - which uses a connection string).
    c

    clean-truck-93285

    4 months ago
    No examples, but ARM does not expose an API to make a stored access policy with IaC. Could look into adding a PowerShell task to your pipeline to generate the stored access policy. https://docs.microsoft.com/en-us/powershell/module/az.storage/new-azstoragecontainerstoredaccesspolicy?view=azps-7.5.0
    d

    damp-honey-93158

    4 months ago
    That is valuable info, now it makes sense why I can't find the API calls 🙂 I'll take a look at your advice or just script the whole part - its a bootstrapping phase anyway so won't happen often (still don't like the taste but I don't have all day either). Thank you!
    c

    clean-truck-93285

    4 months ago
    I spend more time reading the ARM documentation than on Pulumi registry. I also might be wrong, I looked at the blob service ARM yesterday. Not sure what the sasPolicy on the main storage account is. That might get you what you looking for. https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep
    d

    damp-honey-93158

    4 months ago
    instead I spent the day fighting with Azure - in terms of how to get a service principal to be created, such that it can be used by the rest of the pulumi service + pipeline for keyvault and resource creation and RBAC. Boy it was frustrating.
    I might have it now though - next week will tell.
    thank you for your answers and help!