Creating SAS token with ARM template: error InvalidValuesForRequestParameters

Question

I am trying to generate a SAS token from an ARM template, to allow my template to subsequently access resources in a blob storage (including linked templates). The SAS token is supposed to be stored in a vault I'm also creating in this template. The storage account exists independently (in another RG)

However, I get the following error:

    {
          "code": "InvalidValuesForRequestParameters",
          "message": "Values for request parameters are invalid: signedPermission,signedExpiry,signedResourceTypes,signedServices."
     }

My template had this variable and line to generate the SAS token:

        "variables": {
            "vaultName": "[concat('hpc',uniqueString(resourceGroup().id, parameters('keyVaultName')))]",
            "accountSasProperties": {
                "type": "object",
                "defaultValue": {
                    "signedServices": "fb",
                    "signedPermission": "rwdlacup",
                    "signedExpiry": "2021-11-30T00:00:00Z",
                    "signedResourceTypes": "co"
                }
            }
        },
    (...)
          {
                "apiVersion": "2018-02-14",
                "type": "Microsoft.KeyVault/vaults/secrets",
                "dependsOn": [
                    "[concat('Microsoft.KeyVault/vaults/', variables('vaultName'))]"
                ],
                "name": "[concat(variables('vaultName'), '/', 'StorageSaSToken')]",
                "properties": {
                    "value": "[listAccountSas(resourceId(parameters('StorageAccountRg'),'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01', variables('accountSasProperties')).accountSasToken]"
                }
            }

I tried several variation of the parameters, but could not find what's wrong, and the error is not really helping I tried (among other things):

• removing the 'signed' in front of the parameters (services instead of signedServices)
• various combination of services, resource types and permission
• various times (shorter, longer...)

Answer 1

When we define variables, we do not need to specify a data type for the variable. For more details, please refer to here.

So please update your template as the following template

"variables": {
            "vaultName": "[concat('hpc',uniqueString(resourceGroup().id, parameters('keyVaultName')))]",
            "accountSasProperties": {
                    "signedServices": "fb",
                    "signedPermission": "rwdlacup",
                    "signedExpiry": "2021-11-30T00:00:00Z",
                    "signedResourceTypes": "co"
            }
        },
(...)
          {
                "apiVersion": "2018-02-14",
                "type": "Microsoft.KeyVault/vaults/secrets",
                "dependsOn": [
                    "[concat('Microsoft.KeyVault/vaults/', variables('vaultName'))]"
                ],
                "name": "[concat(variables('vaultName'), '/', 'sas')]",
                "properties": {
                    "value": "[listAccountSas(resourceId(parameters('StorageAccountRg'),'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01', variables('accountSasProperties')).accountSasToken]"
                }
            }

Answer 2

Found the issue with the help of @jim-xu answer, and it's the worst kind of solution: the stupid mistake

I switched "accountSasProperties" from parameters to variables, and in the process, I forgot to remove the "defaultValue", and put the value directly under "accountSasProperties" the correct syntax for a variable in my case:

           "accountSasProperties": {
                 "signedServices": "fb",
                 "signedPermission": "rwdlacup",
                 "signedExpiry": "2021-11-30T00:00:00Z",
                 "signedResourceTypes": "co"
            }

I incidentally also remove object type, as pointed out by @jim-xu in his answer