Creating SAS token with ARM template: error InvalidValuesForRequestParameters

Jean Pascal JOURNET 111 Reputation points
2021-06-15T19:44:16.453+00:00

I am trying to generate a SAS token from an ARM template, to allow my template to subsequently access resources in a blob storage (including linked templates)

However, I get the following error:

{
      "code": "InvalidValuesForRequestParameters",
      "message": "Values for request parameters are invalid: signedPermission,signedExpiry,signedResourceTypes,signedServices."
 }

My template had this variable and line to generate the SAS token:

    "variables": {
        "vaultName": "[concat('hpc',uniqueString(resourceGroup().id, parameters('keyVaultName')))]",
        "accountSasProperties": {
            "type": "object",
            "defaultValue": {
                "signedServices": "fb",
                "signedPermission": "rwdlacup",
                "signedExpiry": "2021-11-30T00:00:00Z",
                "signedResourceTypes": "co"
            }
        }
    },
(...)
      {
            "apiVersion": "2018-02-14",
            "type": "Microsoft.KeyVault/vaults/secrets",
            "dependsOn": [
                "[concat('Microsoft.KeyVault/vaults/', variables('vaultName'))]"
            ],
            "name": "[concat(variables('vaultName'), '/', 'StorageSaSToken')]",
            "properties": {
                "value": "[listAccountSas(resourceId(parameters('StorageAccountRg'),'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01', variables('accountSasProperties')).accountSasToken]"
            }
        }

the idea is to generate a SAS token and put it in a vault (I create it in the same template).
As a side note, the storage account for which I generate a SAS token is in another resource group

I tried several variation of the parameters, but could not find what's wrong, and the error is not really helping

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,105 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jean Pascal JOURNET 111 Reputation points
    2021-06-17T13:19:01.863+00:00

    Found the issue myself, and it's the worst kind of solution: the stupid mistake

    I switched "accountSasProperties" from parameters to variables, and in the process, I forgot to remove the "defaultValue", and put the value directly under "accountSasProperties"
    the correct syntax for a variable in my case:

       "accountSasProperties": {  
             "signedServices": "fb",  
             "signedPermission": "rwdlacup",  
             "signedExpiry": "2021-11-30T00:00:00Z",  
             "signedResourceTypes": "co"  
        }  
    

    thanks @shiva patpi for your example, it somehow helped me to discover my issue

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. shiva patpi 13,251 Reputation points Microsoft Employee
    2021-06-17T01:57:37.397+00:00

    Hello @Jean Pascal JOURNET ,
    Thanks for your query !
    I just followed the sample template mentioned here and able to create the Keyvault , generate the SASToken and stored as a secret in KeyVault.
    https://github.com/sam-cogan/Demos/blob/master/SaSToken/SaSToken.json

    FYI - Here is the complete JSON file:
    (for the KeyVaultAccessObjectID - it will be a unique Identifier)
    (Edited couple of values to reflect closer to your template)

    {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
    "keyVaultName": {
    "type": "string",
    "metadata": {
    "description": "Name of KeyVault to Store SaS Token"
    }
    },
    "tenantID": {
    "type": "string",
    "metadata": {
    "description": "Azure AD Tenant ID"
    }
    },
    "keyVaultAccessObjectID": {
    "type": "string",
    "metadata": {
    "description": "ID of user or App to grant access to KV"
    }
    },
    "StorageAccountName": {
    "type": "string",
    "metadata": {
    "description": "Name of Storage Account to Create"
    }
    },
    "accountSasProperties": {
    "type": "object",
    "defaultValue": {
    "signedServices": "fb",
    "signedPermission": "rwlacup",
    "signedExpiry": "2022-03-01T00:00:01Z",
    "signedResourceTypes": "co"
    }
    }
    },
    "variables": {},
    "resources": [
    {
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2018-07-01",
    "name": "[parameters('StorageAccountName')]",
    "location": "[resourceGroup().location]",
    "tags": {
    "displayName": "[parameters('StorageAccountName')]"
    },
    "sku": {
    "name": "Standard_LRS"
    },
    "kind": "StorageV2"
    },
    {
    "type": "Microsoft.KeyVault/vaults",
    "apiVersion": "2018-02-14",
    "name": "[parameters('keyVaultName')]",
    "location": "[resourceGroup().location]",
    "tags": {
    "displayName": "[parameters('keyVaultName')]"
    },
    "properties": {
    "enabledForDeployment": true,
    "enabledForTemplateDeployment": true,
    "enabledForDiskEncryption": true,
    "tenantId": "[parameters('tenantID')]",
    "accessPolicies": [
    {
    "tenantId": "[parameters('tenantID')]",
    "objectId": "[parameters('keyVaultAccessObjectID')]",
    "permissions": {
    "keys": [
    "get"
    ],
    "secrets": [
    "list",
    "get",
    "set"
    ]
    }
    }
    ],
    "sku": {
    "name": "standard",
    "family": "A"
    }
    }
    },
    {
    "apiVersion": "2018-02-14",
    "type": "Microsoft.KeyVault/vaults/secrets",
    "dependsOn": [
    "[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
    ],
    "name": "[concat(parameters('keyVaultName'), '/', 'StorageSaSToken')]",
    "properties": {
    "value": "[listAccountSas(parameters('StorageAccountName'), '2018-07-01', parameters('accountSasProperties')).accountSasToken]"
    }
    }
    ],
    "outputs": {}
    }

    Kindly let us know if that helps !

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.