Share via

Alternative option to upload images without Enabling Allow storage account key access for storage account

Galipelly Rajashekar (Quadrant Resource LLC) 40 Reputation points Microsoft Vendor
2024-07-25T06:24:21.74+00:00

I've been utilizing a PowerShell script to upload images to our Azure storage account. However, after enhancing our security measures by disabling the Allow storage access key, I encountered the following issue. i am looking for the alternative for this.

Exception:

Add-AzVhd : Key based authentication is not permitted on this storage account. At D:\Rajashekar\Untitled1.ps1:79 char:33 + ...             Add-AzVhd -ResourceGroupName $resourceGroupName -Destinat ... +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : CloseError: (:) [Add-AzVhd], StorageException     + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.StorageServices.AddAzureVhd

here is the script

Try
{
  Function Log-Msg
  {
  }
  Function PathExists
  {
param (

  [string] $FileLiteralPath)

  Write-Host "Funciton:"$FileLiteralPath

  

  If ([System.IO.Directory]::Exists($FileLiteralPath))

  {

    Write-Host "Found files.."

    return $true

  }

  else

  {

    Read-Host "Press Any Key...."

    Write-Host "File Not found.."

    return $false

  }
 }
cls
    $global:imgCount = 0
    Write-Host "Start Time:"  (get-date -DisplayHint date) -ForegroundColor Cyan
    Write-Host "Starting the script..."
    Write-Host "Initialize Discovery sheet.."
    
    $filePath = "csv file path"
    if (Test-Path -LiteralPath $filePath)
    {
        Write-Host "Processing each discovered image.."
        $DisOutput = Import-Csv -Path $filePath
        Write-Output $DisOutput.Count
        if ($DisOutput.Count -gt 1)
        {
            Write-Host "Processing Discovery file.. Please Wait.."
            Write-Host "Establish connection with Azure Subscription..."
          Connect-AzAccount 
             $subscriptionId = "subscription id"
             #Production Image
             $resourceGroupName = 'resource group name'
             $sA = "storage account name"
        
            $location = 'West US'
            Select-AzSubscription -SubscriptionId $subscriptionId
            Get-AzSubscription -SubscriptionId $subscriptionId | Set-AzContext
            
            Write-Host "Connection to Azure Subscription Success..." -ForegroundColor Cyan
            ForEach ($Rows in $DisOutput)
            {
                Write-Host $Rows.ImageName
                Write-Host $Rows.OSType
                Write-Host $Rows.vhdName
                Write-Host $Rows.vhdPath
                Write-Host "Checking if network path exists..."
                $ret = PathExists($Rows.vhdPath)
                if ($ret -eq $true)
                {
                    Write-Host "Network path exists.."
                    $getvhdName = Get-ChildItem $Rows.vhdPath| where {$_.name -like "*.vhd"} 
                    $vhdfilePath = $getvhdName.FullName
                    Write-Host "Checking if VHD file existing..."
                    $ret = Test-Path -LiteralPath $vhdfilePath
                    if ($ret -eq $true)
                    {
                            Write-Host "Add VHD to blob..Please wait..."
                            $vhdUrl = "https://" +$sA + ".blob.core.windows.net/images/" + $Rows.vhdName
                            Write-Host "VHD File Path="$vhdfilePath
                            try{
                            Add-AzVhd -ResourceGroupName $resourceGroupName -Destination $vhdUrl -LocalFilePath $vhdfilePath -OverWrite 
}
catch
{
Write-Host "$($_.Exception.Message)"
}                                
Write-Host "Add New Image Config In Progress.."
 $Tags = @{"Type"= $Rows.OSType}

                            $imageConfig = New-AzImageConfig -Location $location -Tag $Tags

                            $imageConfig = Set-AzImageOsDisk -Image $imageConfig -OsType Windows -OsState Generalized -BlobUri $vhdUrl

                            Write-Host "Create Image In Progress.."

                            $image = New-AzImage -ImageName $Rows.ImageName -ResourceGroupName $resourceGroupName -Image $imageConfig

                            $global:imgCount += 1

                            Write-Host "Image onboarded..." -ForegroundColor Green

                            #Read-Host "Press any key..."

                            #Write-Host "Onboard " $imageName " Image Complete...." -ForegroundColor Green

                    }

                    else

                    {

                        Write-Host "VHD file does not exists..." -ForegroundColor Magenta

                    }

                }

                else

                {

                    Write-Host "Unable to find VHD Path:"$Rows.vhdPath -ForegroundColor Magenta

                }

            }

        }

        else

        {

            Write-Host "Unable to process Discovery file.. "

        }

    }

    else

    {

        Write-Host "Discovery File Not found..."

        

    }

    Write-Host "Total Image onboarded:"$global:imgCount

    Write-Host "End Time:"  (get-date -DisplayHint date) -ForegroundColor Cyan
}
Catch
{
Write-Host "Caught Exception while running the script..."

Write-Host "Total Image onboarded:"$global:imgCount

Write-Host "End Time:"  (get-date -DisplayHint date) -ForegroundColor Cyan
}
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,944 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,331 questions
0 comments
Accepted answer
  1. Amrinder Singh 4,910 Reputation points Microsoft Employee
    2024-07-25T07:45:47.0266667+00:00

    Hi Galipelly Rajashekar (Quadrant Resource LLC) - Thanks for reaching out over Q&A forum.

    If you are using Access Key as Auth or SAS which is signed using that Key, both will tend to fail once you disable auth using key.

    https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

    You can leverage AD auth in here.

    You can tend to provide required roles such as Reader on Management plane & Storage Blob Data Reader/Contributor on the Data plane. There after you need to make use of -****DataAccessAuthMode switch. This is also discussed in the below link as well:

    https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disks-upload-vhd-to-managed-disk-powershell

    Hope that helps!

    Please let me know if there are any further queries/concerns, will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 4,766 Reputation points Microsoft Vendor
    2024-07-26T06:02:44.75+00:00

    Hello Galipelly Rajashekar (Quadrant Resource LLC),

    Greetings! Welcome to Microsoft Q&A Platform.

    This is due to the enhanced security measures that have disabled key-based authentication. To resolve this, you can use Microsoft Entra ID (formerly Azure Active Directory) for authentication. This method provides superior security and ease of use compared to Shared Key authorization.

    Azure Storage supports using Microsoft Entra ID to authorize requests to blob data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.

    Authorization with Microsoft Entra ID is available for all general-purpose and Blob storage accounts in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Microsoft Entra authorization.

    refer - https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory

    When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see Authorize access to data in Azure Storage.

    Assign Azure Roles: Use Azure role-based access control (RBAC) to grant permissions to a security principal (user, group, or application service principal). This principal will be authenticated by Microsoft Entra ID to return an OAuth 2.0 token.

    refer - https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal#understand-how-disallowing-shared-key-affects-sas-tokens

    Use Managed Identities: If your application is running within an Azure entity (like an Azure VM or Azure Functions app), you can use managed identities to access blob data. This approach simplifies the process and enhances security.

    refer - https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal

    Hope this information helps! Please let us know if you have any further queries. I’m happy to assist you further.   

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments