Blog

VSTS Task to create a SAS Token

31 Aug, 2016
Xebia Background Header Wave

The Create SAS Token task creates a SAS Token which can be used to access a private Azure Storage Container. The task also gets the StorageUri. Both variables can be used in subsequent tasks, like the Azure Resource Group Deployment task. This is the first task of the Infrastructure as Code serie.
The Task can be found in the marketplace and added to your VSTS account. The code is open source and can be found on GitHub.

Prerequisites for the sample

In this sample I’m executing an ARM template which uses linked ARM Templates. These linked ARM Templates are stored in a private Azure Storage Container. I will be using the Azure Resource Group Deployment task to deploy the parent ARM Template.
The Azure Storage Container looks like this:
AzureStorageContainer

The StorageAccount.json ARM Template looks like this:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string"
    },
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Standard_LRS",
        "Standard_GRS",
        "Standard_ZRS",
        "Premium_LRS"
      ],
      "metadata": {
        "description": "Storage Account type"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[parameters('storageAccountName')]",
      "apiVersion": "2016-01-01",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "Storage",
      "properties": {
      }
    }
  ]
}

The ARM template which links to the StorageAccount.json looks like this:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountName": {
      "type": "string"
    },
    "_artifactsLocation": {
      "type": "string",
      "metadata": {
        "description": "Change this value to your repo name if deploying from a fork"
      },
      "defaultValue": ""
    },
    "_artifactsLocationSasToken": {
      "type": "securestring",
      "metadata": {
        "description": "Auto-generated token to access _artifactsLocation",
        "artifactsLocationSasToken": ""
      },
      "defaultValue": ""
    }
  },
  "variables": {
  },
  "resources": [
    { 
      "apiVersion": "2015-01-01",
      "name": "storage",
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "templateLink": {
          "uri": "[concat(parameters('_artifactsLocation'),'/StorageAccount.json',parameters('_artifactsLocationSasToken'))]",          
          "contentVersion": "1.0.0.0"
        },
        "parameters": {
          "storageAccountName": {
            "value": "[parameters('storageAccountName')]"
          }
        }
      }
    }
  ],
  "outputs": {
  }
}

In this sample the ARM Template above is stored in Git. A build is responsible to create an artifact of this ARM Template, so it can be used in the Release. The release will be explained in the next paragraph.

Steps to use and configure the task

  1. Install the task in your VSTS account by navigating to the marketplace and click install. Select the VSTS account where the task will be deployed to.
  2. Add the task to your release by clicking in your release on add a task and select the Utility category. Click the Add  button on the Create SAS Token task.
    SelectSasTokenTask
  3. Configure the task. When the task is added the configuration will look like this
    EmptySasTokenTask
    All yellow fields are required.
    – Select an AzureRM subscription. If you don’t know how to configure this. Read this blogpost. (I’m using an Azure Principal with “reader” rights only on the ResourceGroup which contains the StorageAccount)
    – Select the Storage Account where you want to create a SAS Token for
    – Enter the name of the Storage Container
    – A variable for the SAS Token is also required. By default a variable is configured with the name storageToken.
    The configuration of the Create SAS Token Task looks like this:
    SasTokenConfiguration
    Note that I’m using an ServicePrincipal with readonly access to the ResourceGroup which contains the StorageAccount with a private container.
  4. Configure subsequent tasks which need the SAS Token. In the following sample the Azure Resource Group Deployment task is used.
    – Configure the task and fill the Override Template Parameters field with:

    -_artifactsLocation $(storageUri) -_artifactsLocationSasToken (ConvertTo-SecureString ‘$(storageToken)’ -AsPlainText -Force)

    The output variables of the Create SAS Token task are used here.
    The configuration of the Azure Resource Group Deployment task looks like this:
    DeployAzureResourceGroupTask
    Note that I’m using a different Service Principal. This Service Principal is specific for this project (and environment).

  5. Run the release

 

Questions?

Get in touch with us to learn more about the subject and related solutions

Explore related posts