| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Deploy Azure template with SAS token and Azure CLI | Microsoft Docs |
Use Azure Resource Manager and Azure CLI to deploy resources to Azure from a template that is protected with SAS token. |
azure-resource-manager |
na |
tfitzmac |
timlt |
tysonn |
azure-resource-manager |
azurecli |
article |
na |
na |
05/31/2017 |
tomfitz |
When your template resides in a storage account, you can restrict access to the template and provide a shared access signature (SAS) token during deployment. This topic explains how to use Azure PowerShell with Resource Manager templates to provide a SAS token during deployment.
You can add your templates to a storage account and link to them during deployment with a SAS token.
Important
By following the steps below, the blob containing the template is accessible to only the account owner. However, when you create a SAS token for the blob, the blob is accessible to anyone with that URI. If another user intercepts the URI, that user is able to access the template. Using a SAS token is a good way of limiting access to your templates, but you should not include sensitive data like passwords directly in the template.
The following example sets up a private storage account container and uploads a template:
az group create --name "ManageGroup" --location "South Central US"
az storage account create \
--resource-group ManageGroup \
--location "South Central US" \
--sku Standard_LRS \
--kind Storage \
--name {your-unique-name}
connection=$(az storage account show-connection-string \
--resource-group ManageGroup \
--name {your-unique-name} \
--query connectionString)
az storage container create \
--name templates \
--public-access Off \
--connection-string $connection
az storage blob upload \
--container-name templates \
--file vmlinux.json \
--name vmlinux.json \
--connection-string $connection
To deploy a private template in a storage account, generate a SAS token and include it in the URI for the template. Set the expiry time to allow enough time to complete the deployment.
expiretime=$(date -u -d '30 minutes' +%Y-%m-%dT%H:%MZ)
connection=$(az storage account show-connection-string \
--resource-group ManageGroup \
--name {your-unique-name} \
--query connectionString)
token=$(az storage blob generate-sas \
--container-name templates \
--name vmlinux.json \
--expiry $expiretime \
--permissions r \
--output tsv \
--connection-string $connection)
url=$(az storage blob url \
--container-name templates \
--name vmlinux.json \
--output tsv \
--connection-string $connection)
az group deployment create --resource-group ExampleGroup --template-uri $url?$token
For an example of using a SAS token with linked templates, see Using linked templates with Azure Resource Manager.
- For an introduction to deploying templates, see Deploy resources with Resource Manager templates and Azure PowerShell.
- For a complete sample script that deploys a template, see Deploy Resource Manager template script
- To define parameters in template, see Authoring templates.
- For guidance on how enterprises can use Resource Manager to effectively manage subscriptions, see Azure enterprise scaffold - prescriptive subscription governance.