Azure VM 自定义脚本扩展 SAS 令牌支持
Azure VM custom script extension SAS token support
我正在尝试使用 ARM 模板将自定义脚本扩展部署到 Azure VM,我想让它使用 SAS 令牌从存储帐户下载文件。
这是模板(简体):
{
"name": "CustomScriptExtension"
"type": "Microsoft.Compute/virtualMachines/extensions",
"location": "eastus",
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
"typeHandlerVersion": "1.8",
"settings": {
"fileUris": [
"https://{storage-account}.blob.core.windows.net/installers/{installer}.msi?sv=2015-04-05&sig={signature}&st=2017-05-03T05:18:28Z&se=2017-05-10T05:18:28Z&srt=o&ss=b&sp=r"
],
"commandToExecute": "start /wait msiexec /package {installer}.msi /quiet"
},
}
}
部署它会导致此错误:
{
"name": "CustomScriptExtension",
"type": "Microsoft.Compute.CustomScriptExtension",
"typeHandlerVersion": "1.8",
"statuses": [
{
"code": "ProvisioningState/failed/3",
"level": "Error",
"displayStatus": "Provisioning failed",
"message": "Failed to download all specified files. Exiting. Error Message: Missing mandatory parameters for valid Shared Access Signature"
}
]
}
如果我直接用 SAS 令牌点击 URL,它会很好地下载文件,所以我知道 SAS 令牌是正确的。自定义脚本扩展是否不支持带有 SAS 令牌的 URLs?
不,它不支持 SAS 令牌。参考这个反馈项:
如@4c74356b41 所说。现在,客户脚本扩展模板不支持 SAS 令牌。如果要从私人存储帐户下载文件,可以使用存储帐户密钥。请参考这个example.
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('vmName'),'/', variables('extensionName'))]",
"apiVersion": "[variables('apiVersion')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"publisher": "Microsoft.Azure.Extensions",
"type": "CustomScript",
"typeHandlerVersion": "2.0",
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": "[split(parameters('fileUris'), ' ')]",
"commandToExecute": "[parameters('commandToExecute')]"
},
"protectedSettings": {
"storageAccountName": "[parameters('customScriptStorageAccountName')]",
"storageAccountKey": "[parameters('customScriptStorageAccountKey')]"
}
}
}
我想通了,这一定是自定义脚本扩展中的错误导致它不支持存储帐户级别的 SAS 令牌。如果我在 SAS 令牌(不是存储帐户级别 SAS 令牌规范的一部分)的末尾添加 &sr=b,它就会开始工作。
我在这里找到了这个信息:
https://azureoperations.wordpress.com/2016/11/21/first-blog-post/
目前,VM 扩展支持 SAS 令牌
我正在尝试使用 ARM 模板将自定义脚本扩展部署到 Azure VM,我想让它使用 SAS 令牌从存储帐户下载文件。
这是模板(简体):
{
"name": "CustomScriptExtension"
"type": "Microsoft.Compute/virtualMachines/extensions",
"location": "eastus",
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
"typeHandlerVersion": "1.8",
"settings": {
"fileUris": [
"https://{storage-account}.blob.core.windows.net/installers/{installer}.msi?sv=2015-04-05&sig={signature}&st=2017-05-03T05:18:28Z&se=2017-05-10T05:18:28Z&srt=o&ss=b&sp=r"
],
"commandToExecute": "start /wait msiexec /package {installer}.msi /quiet"
},
}
}
部署它会导致此错误:
{
"name": "CustomScriptExtension",
"type": "Microsoft.Compute.CustomScriptExtension",
"typeHandlerVersion": "1.8",
"statuses": [
{
"code": "ProvisioningState/failed/3",
"level": "Error",
"displayStatus": "Provisioning failed",
"message": "Failed to download all specified files. Exiting. Error Message: Missing mandatory parameters for valid Shared Access Signature"
}
]
}
如果我直接用 SAS 令牌点击 URL,它会很好地下载文件,所以我知道 SAS 令牌是正确的。自定义脚本扩展是否不支持带有 SAS 令牌的 URLs?
不,它不支持 SAS 令牌。参考这个反馈项:
如@4c74356b41 所说。现在,客户脚本扩展模板不支持 SAS 令牌。如果要从私人存储帐户下载文件,可以使用存储帐户密钥。请参考这个example.
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('vmName'),'/', variables('extensionName'))]",
"apiVersion": "[variables('apiVersion')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"publisher": "Microsoft.Azure.Extensions",
"type": "CustomScript",
"typeHandlerVersion": "2.0",
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": "[split(parameters('fileUris'), ' ')]",
"commandToExecute": "[parameters('commandToExecute')]"
},
"protectedSettings": {
"storageAccountName": "[parameters('customScriptStorageAccountName')]",
"storageAccountKey": "[parameters('customScriptStorageAccountKey')]"
}
}
}
我想通了,这一定是自定义脚本扩展中的错误导致它不支持存储帐户级别的 SAS 令牌。如果我在 SAS 令牌(不是存储帐户级别 SAS 令牌规范的一部分)的末尾添加 &sr=b,它就会开始工作。
我在这里找到了这个信息: https://azureoperations.wordpress.com/2016/11/21/first-blog-post/
目前,VM 扩展支持 SAS 令牌