1

I have configured a CICD pipelines for build and deploy the front end files into azure blob storage.

I configured my release pipeline to clear all files before uploading the new flies using az copy.

  IP=`curl -s http://ipinfo.io/json | jq -r '.ip'`
    
   echo "firewall - Agent IP: $IP"
   sleep 50 

    az storage account network-rule add -g Test_RG --account-name "Test_RG_1" --ip-address $IP
    sleep 30           
    az storage blob delete-batch --account-name  "Test_RG_1" --source '$web' 
          
    echo "Removing :$IP" 
    
    az storage account network-rule remove --account-name "Test_RG_1" --ip-address $IP

Above script is working fine for sometimes without any changes but its getting failed many times, throwing a error like

ERROR: BadRequestError: (InvalidValuesForRequestParameters) Values for request parameters are invalid: networkAcls.ipRule[*].value. For more information, see - https://aka.ms/storagenetworkruleset

The request may be blocked by network rules of storage account. Please check network rule set

enter image description here

Any one can you please advise me on this ?

Reference

Azure Devops MS-hosted agent IP address

How to get the IP Address for Azure DevOps Hosted Agents to add to the white list

Azure DevOps pipeline cannot copy to Azure storage

https://learn.microsoft.com/en-us/cli/azure/ext/storage-preview/storage?view=azure-cli-latest

VSTS Release - Delete Azure BLOB Container / Contents

https://matthewleak.medium.com/deploying-a-static-website-to-azure-storage-using-azure-devops-fa0bed457d07

Uploading File in Azure using CLI

Network Rules of storage account blocking container creation

Debugger
  • 690
  • 1
  • 18
  • 41

1 Answers1

2

Based on the error message, the root cause of this issue is that the IP obtained by the script is invalid.

I have encountered the same issue in the past, but it could work with the same script (IP=curl -s http://ipinfo.io/json | jq -r '.ip').

When you execute the script, you could see the IP in the task log.

enter image description here

You can try to manually add this IP in the Storage Account -> Networking -> firewall.

If you could see the error like the screenshot below, this means that the IP has issue.

enter image description here

But based on my test, this script could work fine. The IP can also be added manually.

In addition, I run these scripts on the Microsoft-hosted agent(e.g. Ubuntu 16.04, 18.04, 20.04,windows-2019) You could change to use these agents and check if it could work.

Update:

You could use Azure PowerShell task to set the firewall and use the Azure CLI task to execute the az cli script:

Here is an example:

steps:
- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: Set Rule'
  inputs:
    azureSubscription: kevin0215
    ScriptType: InlineScript
    Inline: |
     $IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
     
     $IP
     
     Add-AzStorageAccountNetworkRule -ResourceGroupName "ResourceGroup" -AccountName "kevin0204" -IPAddressOrRange "$IP"
     
     
     
    preferredAzurePowerShellVersion: ' 3.1.0'

- task: AzureCLI@2
  displayName: 'Azure CLI  Remove files'
  inputs:
    azureSubscription: kevin0215
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: 'az storage blob delete-batch --account-name kevin0204  --source kevin0204   --auth-mode login'

- task: AzurePowerShell@5
  displayName: 'Azure PowerShell script: Remove Rule'
  inputs:
    azureSubscription: kevin0215
    ScriptType: InlineScript
    Inline: |
     $IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
     
     $IP
     
     Remove-AzStorageAccountNetworkRule -ResourceGroupName "ResourceGroup" -AccountName "kevin0204" -IPAddressOrRange "$IP"
     
     
    preferredAzurePowerShellVersion: ' 3.1.0'

Classic:

enter image description here

Kevin Lu-MSFT
  • 20,786
  • 3
  • 19
  • 28
  • Thanks Kevin - I have tried changing the Azure CLI scripts to Powershell task as you suggested - Configured a scripts like $context = New-AzStorageContext -StorageAccountName "Test_RG_1" -StorageAccountKey "kkerefcdf454fe" Get-AzureStorageBlob -Container "$web" -Context $context | Remove-AzureStorageBlob - – Debugger Feb 15 '21 at 06:15
  • @Debugger. Thanks for your update. So will it work after doing this change? And If you manually added the IP(get from log) in azure storage account, will you get the error? – Kevin Lu-MSFT Feb 15 '21 at 06:20
  • Thanks for quick response For adding the IP manually I'm not getting any error. But while performing the deletion via script I'm getting error like New-AzStorageContext is not recognized as a name of – Debugger Feb 15 '21 at 06:20
  • Basically I'm trying to achieve az storage blob delete-batch --account-name "Test_RG_1" --source '$web' the same via Powershell task. But I'm not sure Azure RM need to be installed in Microsoft agents or any other direct way to achieve this – Debugger Feb 15 '21 at 06:23
  • @Debugger. As far as I know, the Azure PowerShell task can also run the az storage blob script(azure cli). When you execute the script, it will get error ? – Kevin Lu-MSFT Feb 15 '21 at 06:26
  • 1
    On the other hand, you could directly use **Azure PowerShell task** instead of Powershell task. It will be easier. – Kevin Lu-MSFT Feb 15 '21 at 06:29
  • Sorry, I was trying that same in Azuzre PowerShell task only - CLI commands in azure power shell task throwing a error like ERROR: Please run 'az login' to setup account - It's expecting authentication. – Debugger Feb 15 '21 at 06:35
  • I trying to achieve the same via devops pipeline after firewall rules added https://stackoverflow.com/questions/57119087/powershell-remove-all-blobs-in-a-container - But I'm facing exact issue like https://stackoverflow.com/questions/54080159/new-azurestoragecontext-is-not-recognized-yet-the-module-is-installed/54084528 – Debugger Feb 15 '21 at 06:37
  • For workaround az login cli issue- https://stackoverflow.com/questions/54513537/az-login-fails-wih-azure-devops-pipelines But not sure how downgrade it via azure powershell task , Any suggestions would be helpful – Debugger Feb 15 '21 at 06:41
  • 1
    @Debugger. Get it. I will test it and create a sample. Then I will share it with you. – Kevin Lu-MSFT Feb 15 '21 at 06:47
  • 1
    Hi @Debugger. I could reproduce this issue. ERROR: Please run 'az login' to setup account It seems that this az cli script still need az login. In Azure Cli task, it could work fine. So you can put the three steps into three tasks separately and it could work. Please refer to my update . Based on my test if you use the Powershell script to delete files ,it need to install AzureRM. This step may use more time. The azure cli script could run directly. – Kevin Lu-MSFT Feb 15 '21 at 07:23
  • Hi @Debugger. Feel free to let me know your result. If the sample could work, you may consider accepting it as answer. Thanks . – Kevin Lu-MSFT Feb 15 '21 at 08:14
  • Thank you so much kevin, For the detail Information. I have tried based on your suggestion. Still It's failing and same scripts are working for some time. I checked the firewall settings failed IP also successfully added but it throwing a error – Debugger Feb 15 '21 at 08:29
  • ERROR: 2021-02-15T08:21:06.5865351Z The request may be blocked by network rules of storage account. Please check network rule set using 'az storage account show -n accountname --query networkRuleSet'. 2021-02-15T08:21:06.5867117Z If you want to change the default action to apply when no rule matches, please use 'az storage account update'. 2021-02-15T08:21:06.6950481Z ##[error]Script failed with exit code: 1 – Debugger Feb 15 '21 at 08:31
  • Hi @Debugger. This issue is not same as the issue in the Orginal question. The original question is related to adding firewall, and this one is related to running az cli script after successfully adding. I notice that you have created another ticket for this new issue:https://stackoverflow.com/questions/66196473/az-storage-account-network-rule-not-working-for-microsoft-hosted-agentazure-dev. My colleague is investigating this issue now and he wil help you in another ticket. – Kevin Lu-MSFT Feb 15 '21 at 08:36
  • So may I consider this current issue has been resolved now? – Kevin Lu-MSFT Feb 15 '21 at 08:37
  • Sure, Thank you So much - It helps really. Looking forward for the full solution – Debugger Feb 15 '21 at 08:39
  • Hi @Debugger. Do you still have any questions about this ticket? Feel free to let me know. Thank you – Kevin Lu-MSFT Feb 16 '21 at 00:57
  • Hi Kevin. Sorry primarily this request for deleting the files from Blob storage and another one is related to firewall rules. So that I'm looking and working around solutions for the same. My storage is hosted west Europe but this is working on some time and not working on many time without doing any changes. Not sure whether it's related microsoft hosted agent IP address range may issues. – Debugger Feb 16 '21 at 02:13
  • --auth-mode login is it's mandatory to give this option in our script? – Debugger Feb 16 '21 at 02:14
  • 1
    `--auth-mode ` This is optional. Because the azure cli task already contains the login credentials, it can be used directly. The alternative is to use these: `--sas-token` , `--account-key` . – Kevin Lu-MSFT Feb 16 '21 at 02:18
  • Yes. As far as I know, this issue could be related with Hosted Agent IP. Every time you run microsoft-hosted agent his ip will change. This should be related to your organization region. – Kevin Lu-MSFT Feb 16 '21 at 02:22
  • Yeah.. - My Organization region is West Europe. But we are getting the Microsoft Hosted agent IP dynamically and adding the same firewall. So according to me it should not block, Not sure what's wrong in the process.. – Debugger Feb 16 '21 at 03:21
  • Do you mean the issue in this ticket? https://stackoverflow.com/questions/66196473/az-storage-account-network-rule-not-working-for-microsoft-hosted-agentazure-dev – Kevin Lu-MSFT Feb 16 '21 at 03:23
  • Yes, It's related to Firewall configuration – Debugger Feb 16 '21 at 03:26
  • For a workaround, you could try to use [self-hosted agent](https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser#install). – Kevin Lu-MSFT Feb 16 '21 at 08:54
  • Hi @Debugger. Do you have any questions about current ticket? If the answer could give you some help, you may consider accepting it. For the new issue, you could monitor this issue in our Feedback site:https://developercommunity.visualstudio.com/content/problem/1337796/azure-cli-scripts-to-delete-blob-files-not-working.html – Kevin Lu-MSFT Feb 19 '21 at 09:00
  • Hi @Kevin. Thank you so much for your assistance. In developer community also I already referred this post. Not sure this a new issue. New issue similar related to firewall I raised here https://stackoverflow.com/questions/66196473/az-storage-account-network-rule-not-working-for-microsoft-hosted-agentazure-dev. Sorry Still that too I'm not good with the suggestions for that also. I'm looking for some permanent solution for this problem. I hope you understand my concern. – Debugger Feb 19 '21 at 12:20
  • Self Hosted is not cost effective right while comparing to Microsoft hosted agent ? Any thoughts on this https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser – Debugger Feb 19 '21 at 12:23