customScript extension in Azure VMSS with

Question

I used to create an extension as below

--version 2.0 --publisher Microsoft.Azure.Extensions \
--settings '{\
"fileUris": ["https://$saName.blob.core.windows.net/$scName/agent.sh"],\
"commandToExecute": "sh agent.sh"\
}'

However, recently we have limited the public access of the blob storage so that I can't access in the above way but need to generate a SAS URI and access through that way. So the question is how to put the SAS URI into the fileUris value? It does not work to download the agent.sh like this

https://$saName.blob.core.windows.net/$scName?sp=r&st=2021-12-20T08:50:14Z&se=2099-12-20T16:50:14Z&spr=https&sv=2020-08-04&sr=c&sig=xxxxxxxxxxxxxxxxx/agent.sh

So what should I do?

As per the [Azure Documentation](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows), instead of passing the SAS URL in file URL it is suggested to use managed identity for downloading file(s) from URLs provided in the "fileUris" setting. It allows CustomScript to access Azure Storage private blobs or containers without the user having to pass secrets like SAS tokens or storage account keys. — VenkateshDodda, Dec 28 '21 at 10:08
If the answer was helpful, Please [Accept it as an Answer](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work), so that others who encounter the same issue can find this solution and fix their problem. — Ansuman Bal, Jan 05 '22 at 14:07

Ansuman Bal · Answer 1 · 2021-12-31T05:37:01.753

Once you have generated the SAS with the required permissions then you can concat it with the file uri you are using like <fileusri><SAS Token> .

https://$saName.blob.core.windows.net/$scName/agent.sh?sv=2020-08-04&ss=bfqt&srt=sco&sp=rwltfx&se=2021-12-31T13:10:45Z&st=2021-12-31T05:10:45Z&spr=https&sig=xxxxxxxxxxxxxxxxxxxxxxx

Otherwise as VenkateshDodda-MT, has suggested you can use Managed Identity of the VMSS in the settings argument after providing the Identity of the VMSS Storage Blob Data Reader or Storage Blob Data Contributor Role :

--version 2.0 --publisher Microsoft.Azure.Extensions \
--settings '{\
"fileUris": ["https://$saName.blob.core.windows.net/$scName/agent.sh"],\
"managedIdentity":{"objectId": "you can find this ID in the Identity blade of the VMSS in azure portal"}\
"commandToExecute": "sh agent.sh"\
}'

Reference:

Azure Custom Script Extension for Windows - Azure Virtual Machines | Microsoft Docs

customScript extension in Azure VMSS with

1 Answers1