Skip to content

Commit

Permalink
Use AZURE_STORAGE_AUTH_MODE with federated auth
Browse files Browse the repository at this point in the history
  • Loading branch information
mboersma committed Jul 11, 2024
1 parent 42f07b7 commit 4cc94cd
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 10 deletions.
4 changes: 2 additions & 2 deletions images/capi/packer/azure/.pipelines/generate-sas.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,15 @@ steps:
printf "${RESOURCE_GROUP_NAME}" | tee packer/azure/resource-group-name.out
if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")"
export ENABLE_AUTH_MODE_LOGIN="true" # Use --auth-mode "login" in az storage commands.
export AZURE_STORAGE_AUTH_MODE="login" # Use auth mode "login" in az storage commands.
else
az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p "${AZURE_CLIENT_SECRET}"
fi
az account set -s ${AZURE_SUBSCRIPTION_ID}
ACCOUNT_KEY=$(az storage account keys list -g ${RESOURCE_GROUP_NAME} --subscription ${AZURE_SUBSCRIPTION_ID} --account-name ${STORAGE_ACCOUNT_NAME} --query '[0].value')
start_date=$(date +"%Y-%m-%dT00:00Z" -d "-1 day")
expiry_date=$(date +"%Y-%m-%dT00:00Z" -d "+1 year")
az storage container generate-sas ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --name system --permissions lr --account-name ${STORAGE_ACCOUNT_NAME} --account-key ${ACCOUNT_KEY} --start $start_date --expiry $expiry_date | tr -d '\"' | tee -a packer/azure/vhd-url.out
az storage container generate-sas --name system --permissions lr --account-name ${STORAGE_ACCOUNT_NAME} --account-key ${ACCOUNT_KEY} --start $start_date --expiry $expiry_date | tr -d '\"' | tee -a packer/azure/vhd-url.out
displayName: Getting OS VHD URL
workingDirectory: '$(system.defaultWorkingDirectory)/images/capi'
condition: eq(variables.CLEANUP, 'False')
Expand Down
14 changes: 7 additions & 7 deletions images/capi/packer/azure/scripts/delete-unused-storage.sh
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ which pub &> /dev/null || (echo "Please install pub from https://github.com/devi

if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")"
export ENABLE_AUTH_MODE_LOGIN="true" # Use --auth-mode "login" in az storage commands.
export AZURE_STORAGE_AUTH_MODE="login" # Use auth mode "login" in az storage commands.
else
az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p "${AZURE_CLIENT_SECRET}"
fi
Expand Down Expand Up @@ -142,14 +142,14 @@ for account in $(az storage account list -g "${RESOURCE_GROUP}" -o tsv --query "
if [[ ${url} =~ ${storage_account} ]]; then
echo "Archiving storage account ${storage_account} (${label}) that is ${age} days old"
# create a destination container
if [[ $(az storage container exists ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --account-name "${ARCHIVE_STORAGE_ACCOUNT}" -n "${dest_label}" -o tsv 2>/dev/null) != "True" ]]; then
${ECHO} az storage container create ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --only-show-errors --public-access=container \
if [[ $(az storage container exists --account-name "${ARCHIVE_STORAGE_ACCOUNT}" -n "${dest_label}" -o tsv 2>/dev/null) != "True" ]]; then
${ECHO} az storage container create --only-show-errors --public-access=container \
-n ${dest_label} -g "${RESOURCE_GROUP}" --account-name "${ARCHIVE_STORAGE_ACCOUNT}" 2>/dev/null
fi
# for each source container
for container in $(az storage container list ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --only-show-errors --account-name ${storage_account} --query "[].name" -o tsv 2>/dev/null); do
for container in $(az storage container list --only-show-errors --account-name ${storage_account} --query "[].name" -o tsv 2>/dev/null); do
# copy it to the destination container
${ECHO} az storage blob copy start-batch ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} \
${ECHO} az storage blob copy start-batch \
--account-name ${ARCHIVE_STORAGE_ACCOUNT} \
--destination-container ${dest_label} \
--destination-path ${container} \
Expand All @@ -159,9 +159,9 @@ for account in $(az storage account list -g "${RESOURCE_GROUP}" -o tsv --query "
2>/dev/null
done
# poll the target container until all blobs have "succeeded" copy status
for target in $(az storage blob list ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --account-name ${ARCHIVE_STORAGE_ACCOUNT} -c ${dest_label} --query '[].name' -o tsv 2>/dev/null); do
for target in $(az storage blob list --account-name ${ARCHIVE_STORAGE_ACCOUNT} -c ${dest_label} --query '[].name' -o tsv 2>/dev/null); do
while true; do
status=$(az storage blob show ${ENABLE_AUTH_MODE_LOGIN:+"--auth-mode login"} --account-name ${ARCHIVE_STORAGE_ACCOUNT} --container-name ${dest_label} --name $target -o tsv --query 'properties.copy.status' 2>/dev/null)
status=$(az storage blob show --account-name ${ARCHIVE_STORAGE_ACCOUNT} --container-name ${dest_label} --name $target -o tsv --query 'properties.copy.status' 2>/dev/null)
if [[ ${status} == "success" ]]; then
echo "Copied ${dest_label}/${target}"
break
Expand Down
2 changes: 1 addition & 1 deletion images/capi/packer/azure/scripts/init-vhd.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ set +o xtrace

if [[ -n "${AZURE_FEDERATED_TOKEN_FILE:-}" ]]; then
az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" --federated-token "$(cat "${AZURE_FEDERATED_TOKEN_FILE}")" > /dev/null 2>&1
export ENABLE_AUTH_MODE_LOGIN="true" # Use --auth-mode "login" in az storage commands.
export AZURE_STORAGE_AUTH_MODE="login" # Use auth mode "login" in az storage commands.
else
az login --service-principal -u "${AZURE_CLIENT_ID}" -t "${AZURE_TENANT_ID}" -p ${AZURE_CLIENT_SECRET} >/dev/null 2>&1
fi
Expand Down

0 comments on commit 4cc94cd

Please sign in to comment.