How to provide secure access to custom machine configuration packages
This page provides a guide on how to provide access to Machine Configuration packages stored in Azure storage by using the resource ID of a user-assigned managed identity or a Shared Access Signature (SAS) token.
Prerequisites
- Azure subscription
- Azure Storage account with the Machine Configuration package
Steps to provide access to the package
The following steps prepare your resources for more secure operations. The code snippets for the
steps include values in angle brackets, like <storage-account-container-name>
, which you must
replace with a valid value when following the steps. If you just copy and paste the code, the
commands may raise errors due to invalid values.
Using a User Assigned Identity
Important
Please note that, unlike Azure VMs, Arc-connected machines currently do not support User-Assigned Managed Identities.
You can grant private access to a machine configuration package in an Azure Storage blob by assigning a User-Assigned Identity to a scope of Azure VMs. For this to work, you need to grant the managed identity read access to the Azure storage blob. This involves assigning the "Storage Blob Data Reader" role to the identity at the scope of the blob container. This setup ensures that your Azure VMs can securely read from the specified blob container using the user-assigned managed identity. To learn how you can assign a User Assigned Identity at scale, see Use Azure Policy to assign managed identities.
Using a SAS Token
Optionally, you can add a shared access signature (SAS) token in the URL to ensure secure access to the package. The below example generates a blob SAS token with read access and returns the full blob URI with the shared access signature token. In this example, the token has a time limit of three years.
$startTime = Get-Date
$endTime = $startTime.AddYears(3)
$tokenParams = @{
StartTime = $startTime
ExpiryTime = $endTime
Container = '<storage-account-container-name>'
Blob = '<configuration-blob-name>'
Permission = 'r'
Context = '<storage-account-context>'
FullUri = $true
}
$contentUri = New-AzStorageBlobSASToken @tokenParams
Summary
By using the resource ID of a user-assigned managed identity or SAS token, you can securely provide access to Machine Configuration packages stored in Azure storage. The additional parameters ensure that the package is retrieved using the managed identity and that Azure Arc machines aren't included in the policy scope.
Next Steps
- After creating the policy definition, you can assign it to the appropriate scope, like management group, subscription, or resource group, within your Azure environment.
- Remember to monitor the policy compliance status and make any necessary adjustments to your Machine Configuration package or policy assignment to meet your organizational requirements.