Create custom image template using script stored in storage account which is publicly disabled

Copper Contributor

Hi Team,

 

we are trying to create custom image template for avd. We are trying to use storage account to store the software and script which needs to be run. We are using storage account which is publicly disabled and using private endpoint for the same. We are passing SAS token enabled url to download the script which is valid. We are trying to create image template but during the creation itself it is failing with azure custom image template Not authorized to access the resource:?[REDACTED]. Please check the user assigned identity has the correct permission the UAI has read access on the subcription and the resource group. But when we enable stroage account to publicly accessible we are able to create the image template. We are trying to install the template with same vnet and subnet where we have enabled private endpoint still the image template is failing any help or suggestion will be appreciated. AIB role has following permission on subscription and resource group

"Microsoft.Authorization/*/read",
      "Microsoft.Compute/images/write",
      "Microsoft.Compute/images/read",
      "Microsoft.Compute/images/delete",
      "Microsoft.Compute/galleries/read",
      "Microsoft.Compute/galleries/images/read",
      "Microsoft.Compute/galleries/images/versions/read",
      "Microsoft.Compute/galleries/images/versions/write",
      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
      "Microsoft.Storage/storageAccounts/blobServices/containers/write",
      "Microsoft.Storage/storageAccounts/blobServices/read",
      "Microsoft.ContainerInstance/containerGroups/read",
      "Microsoft.ContainerInstance/containerGroups/write",
      "Microsoft.ContainerInstance/containerGroups/start/action",
      "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
      "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
      "Microsoft.Authorization/*/read",
      "Microsoft.Resources/deployments/*",
      "Microsoft.Resources/deploymentScripts/read",
      "Microsoft.Resources/deploymentScripts/write",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.VirtualMachineImages/imageTemplates/run/action",
      "Microsoft.VirtualMachineImages/imageTemplates/read",
      "Microsoft.Network/virtualNetworks/read",
      "Microsoft.Network/virtualNetworks/subnets/join/action"
2 Replies

@amolpawar87 - If you are using AIB to build image template, where does AIB building it's components?

In AIB template, I hope you might have changed the network to your subnet id? by default the aib template is public.