Forum Discussion
Deploying ARM template (stored in private BLOB Container) using Managed Identity (without SAS)
We have a requirement for deploying Azure ARM template(s) which are stored in Storage Account BLOB container (Private access level), from an Azure function app. We have configured managed Identit...
Alternatively, you can try Azure SDK. make sure you have the correct permissions on the IAM of the storage account.
from azure.identity import ManagedIdentityCredential
from azure.storage.blob import BlobServiceClient
from azure.core.exceptions import ResourceNotFoundError
from azure.mgmt.resource import ResourceManagementClient
# Authenticate with the function app's managed identity
credential = ManagedIdentityCredential()
# Get the blob storage account connection string from the app settings
connection_string = os.environ['AzureWebJobsStorage']
# Get a reference to the ARM template blob
blob_service_client = BlobServiceClient.from_connection_string(connection_string, credential=credential)
container_client = blob_service_client.get_container_client('templates')
blob_client = container_client.get_blob_client('template.json')
# Download the ARM template contents to a local file
try:
template_contents = blob_client.download_blob().content_as_text()
except ResourceNotFoundError:
logging.error("ARM template blob not found")
return
# Use the Azure SDK to deploy the ARM template
resource_client = ResourceManagementClient(credential, subscription_id)
deployment_properties = {
'mode': DeploymentMode.incremental,
'template': json.loads(template_contents),
'parameters': {}
}
deployment_async_operation = resource_client.deployments.begin_create_or_update(
resource_group_name,
deployment_name,
deployment_properties
)
deployment_async_operation.wait()
