How to use existing Storage Account with local auth disabled in Deployment Script?
Following the Use existing storage account it says:
The
allowSharedKeyAccessproperty of the storage account must be set totrue. The only way to mount a storage account in Azure Container Instance(ACI) is via an access key.
But in our subscription we have a policy that all storage accounts that has that property set to true will be blocked during creation time.
Is there a workaround for this? They are using the existing built-in policy Storage accounts should prevent shared key access.
Is it possible to add exception on this policy for an existing storage account name, and then we set the storage account name in deployment script parameter?
This is my Bicep template:
resource addRoleAssignments 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
name: resourceName
location: resourceGroup().location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${userAssignedIdentity.id}': {}
}
}
properties: {
azPowerShellVersion: '13.2'
environmentVariables: []
scriptContent: loadTextContent('../../../.scripts/AddRoleAssignments.ps1')
arguments: '-TenantId ${tenantId} -SubscriptionId ${subscriptionId} -ResourceGroup ${resourceGroupName} -UserManagedIdentity ${identityName} -RoleAssignmentsBase64 "${allRoleAssignmentsEncoded}"'
cleanupPreference: 'OnSuccess'
retentionInterval: 'P1D'
// Deployment scripts are idempotent, so we can use utcnow on Tag to force an update
forceUpdateTag: 'Run-${timestamp}'
containerSettings: {containerGroupName: containerName}
storageAccountSettings: {storageAccountName: storageAccountDeploymentName, storageAccountKey: listKeys(resourceId('Microsoft.Storage/storageAccounts', storageAccount.name), '2023-01-01').keys[0].value}
}
}
But when I run, I get the error:
Status: failed
Error:
Code: DeploymentScriptOperationFailed
Message: Key based authentication is not permitted on this storage account.
RequestId:d2cb5954-d01a-00ba-6c8a-aadc2d000000
Time:2025-04-11T02:35:31.0724116Z
Status: 403 (Key based authentication is not permitted on this storage account.)
ErrorCode: KeyBasedAuthenticationNotPermitted
Use existing Storage Account with local auth disabled in Deployment Script
So, as far as I understood you have a policy that which have Effect: "deny" when allowSharedKeyAccess = true which means with this policy in active you can't create the storage account.
I tried to create a storage account which shared access key was denied by policy as shown below.
az storage account create --name stsdvavtestdemo --resource-group vinay-rg --location eastus --sku Standard_LRS --kind StorageV2 --allow-shared-key-access true
Now, since you have an active policy that deny creation of storage account you and since you want to allow just one specific storage account to bypass this policy for test or deployment script use, the next step is to create a policy exemption for that storage account.
Since the storage account was yet to create, so create an exception at RG level.
az policy exemption create --name "allow-shared-key-access-rg-scope" --policy-assignment "/subscriptions/Sub_ID/providers/Microsoft.Authorization/policyAssignments/deny-shared-key-access-assignment" --scope "/subscriptions/Sub_ID/resourceGroups/vinay-rg" --exemption-category Waiver --description "Temporarily allow shared key access storage creation under vinay-rg"
Once the exemption is created check you can create a storage account as per the requirement.
az storage account create --name stsdvavtestdemo --resource-group vinay-rg --location eastus --sku Standard_LRS --kind StorageV2 --allow-shared-key-access true
For the cases where the storage account resource already existed, then
az policy exemption create --name "stsdvavtestdemo" --policy-assignment "/subscriptions/Sub_ID/providers/Microsoft.Authorization/policyAssignments/deny-shared-key-access-assignment" --scope "/subscriptions/Sub_ID/resourceGroups/vinay-rg/providers/Microsoft.Storage/storageAccounts/stsdvavtestdemo" --exemption-category Waiver --description "Exempt existing storage account from shared key access policy"
Refer:
Details of the policy exemption structure - Azure Policy | Microsoft Learn
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions