Azure VM 自定义脚本扩展 SAS 令牌支持

Azure VM custom script extension SAS token support

我正在尝试使用 ARM 模板将自定义脚本扩展部署到 Azure VM,我想让它使用 SAS 令牌从存储帐户下载文件。

这是模板(简体):

{
    "name": "CustomScriptExtension"
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "location": "eastus",
    "properties": {
        "publisher": "Microsoft.Compute",
        "type": "CustomScriptExtension",
        "typeHandlerVersion": "1.8",
        "settings": {
            "fileUris": [
                "https://{storage-account}.blob.core.windows.net/installers/{installer}.msi?sv=2015-04-05&sig={signature}&st=2017-05-03T05:18:28Z&se=2017-05-10T05:18:28Z&srt=o&ss=b&sp=r"
            ],
            "commandToExecute": "start /wait msiexec /package {installer}.msi /quiet"
        },
    }
}

部署它会导致此错误:

{
  "name": "CustomScriptExtension",
  "type": "Microsoft.Compute.CustomScriptExtension",
  "typeHandlerVersion": "1.8",
  "statuses": [
    {
      "code": "ProvisioningState/failed/3",
      "level": "Error",
      "displayStatus": "Provisioning failed",
      "message": "Failed to download all specified files. Exiting. Error Message: Missing mandatory parameters for valid Shared Access Signature"
    }
  ]
}

如果我直接用 SAS 令牌点击 URL,它会很好地下载文件,所以我知道 SAS 令牌是正确的。自定义脚本扩展是否不支持带有 SAS 令牌的 URLs?

不,它不支持 SAS 令牌。参考这个反馈项:

https://github.com/Azure/azure-linux-extensions/issues/105

如@4c74356b41 所说。现在,客户脚本扩展模板不支持 SAS 令牌。如果要从私人存储帐户下载文件,可以使用存储帐户密钥。请参考这个example.

{
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "name": "[concat(variables('vmName'),'/', variables('extensionName'))]",
      "apiVersion": "[variables('apiVersion')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
      ],
      "properties": {
        "publisher": "Microsoft.Azure.Extensions",
        "type": "CustomScript",
        "typeHandlerVersion": "2.0",
        "autoUpgradeMinorVersion": true,
        "settings": {
          "fileUris": "[split(parameters('fileUris'), ' ')]",
          "commandToExecute": "[parameters('commandToExecute')]"
        },
        "protectedSettings": {
          "storageAccountName": "[parameters('customScriptStorageAccountName')]",
          "storageAccountKey": "[parameters('customScriptStorageAccountKey')]"
        }
      }
    }

我想通了,这一定是自定义脚本扩展中的错误导致它不支持存储帐户级别的 SAS 令牌。如果我在 SAS 令牌(不是存储帐户级别 SAS 令牌规范的一部分)的末尾添加 &sr=b,它就会开始工作。

我在这里找到了这个信息: https://azureoperations.wordpress.com/2016/11/21/first-blog-post/

目前,VM 扩展支持 SAS 令牌