question

JeanPascalJOURNET-4831 avatar image
0 Votes"
JeanPascalJOURNET-4831 asked JeanPascalJOURNET-4831 commented

Creating SAS token with ARM template: error InvalidValuesForRequestParameters

I am trying to generate a SAS token from an ARM template, to allow my template to subsequently access resources in a blob storage (including linked templates)

However, I get the following error:

 {
       "code": "InvalidValuesForRequestParameters",
       "message": "Values for request parameters are invalid: signedPermission,signedExpiry,signedResourceTypes,signedServices."
  }


My template had this variable and line to generate the SAS token:

     "variables": {
         "vaultName": "[concat('hpc',uniqueString(resourceGroup().id, parameters('keyVaultName')))]",
         "accountSasProperties": {
             "type": "object",
             "defaultValue": {
                 "signedServices": "fb",
                 "signedPermission": "rwdlacup",
                 "signedExpiry": "2021-11-30T00:00:00Z",
                 "signedResourceTypes": "co"
             }
         }
     },
 (...)
       {
             "apiVersion": "2018-02-14",
             "type": "Microsoft.KeyVault/vaults/secrets",
             "dependsOn": [
                 "[concat('Microsoft.KeyVault/vaults/', variables('vaultName'))]"
             ],
             "name": "[concat(variables('vaultName'), '/', 'StorageSaSToken')]",
             "properties": {
                 "value": "[listAccountSas(resourceId(parameters('StorageAccountRg'),'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01', variables('accountSasProperties')).accountSasToken]"
             }
         }

the idea is to generate a SAS token and put it in a vault (I create it in the same template).
As a side note, the storage account for which I generate a SAS token is in another resource group

I tried several variation of the parameters, but could not find what's wrong, and the error is not really helping


azure-storage-accounts
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeanPascalJOURNET-4831 avatar image
2 Votes"
JeanPascalJOURNET-4831 answered JeanPascalJOURNET-4831 commented

Found the issue myself, and it's the worst kind of solution: the stupid mistake

I switched "accountSasProperties" from parameters to variables, and in the process, I forgot to remove the "defaultValue", and put the value directly under "accountSasProperties"
the correct syntax for a variable in my case:

    "accountSasProperties": {
          "signedServices": "fb",
          "signedPermission": "rwdlacup",
          "signedExpiry": "2021-11-30T00:00:00Z",
          "signedResourceTypes": "co"
     }

thanks @shivapatpi-MSFT for your example, it somehow helped me to discover my issue

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JeanPascalJOURNET-4831 ,
I am glad that issue is resolved and those details were helpful.
Kindly don't forget to "Accept the Answer" - You know it will help out to the community who is looking for similar sort of issues.

0 Votes 0 ·

will do, just feels weird to accept your own answer.
Thanks for your help @shivapatpi-MSFT

0 Votes 0 ·
shivapatpi-MSFT avatar image
1 Vote"
shivapatpi-MSFT answered JeanPascalJOURNET-4831 commented

Hello @JeanPascalJOURNET-4831 ,
Thanks for your query !
I just followed the sample template mentioned here and able to create the Keyvault , generate the SASToken and stored as a secret in KeyVault.
https://github.com/sam-cogan/Demos/blob/master/SaSToken/SaSToken.json


FYI - Here is the complete JSON file:
(for the KeyVaultAccessObjectID - it will be a unique Identifier)
(Edited couple of values to reflect closer to your template)

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Name of KeyVault to Store SaS Token"
}
},
"tenantID": {
"type": "string",
"metadata": {
"description": "Azure AD Tenant ID"
}
},
"keyVaultAccessObjectID": {
"type": "string",
"metadata": {
"description": "ID of user or App to grant access to KV"
}
},
"StorageAccountName": {
"type": "string",
"metadata": {
"description": "Name of Storage Account to Create"
}
},
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "fb",
"signedPermission": "rwlacup",
"signedExpiry": "2022-03-01T00:00:01Z",
"signedResourceTypes": "co"
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2018-07-01",
"name": "[parameters('StorageAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "[parameters('StorageAccountName')]"
},
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2"
},
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2018-02-14",
"name": "[parameters('keyVaultName')]",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "[parameters('keyVaultName')]"
},
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"tenantId": "[parameters('tenantID')]",
"accessPolicies": [
{
"tenantId": "[parameters('tenantID')]",
"objectId": "[parameters('keyVaultAccessObjectID')]",
"permissions": {
"keys": [
"get"
],
"secrets": [
"list",
"get",
"set"
]
}
}
],
"sku": {
"name": "standard",
"family": "A"
}
}
},
{
"apiVersion": "2018-02-14",
"type": "Microsoft.KeyVault/vaults/secrets",
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
],
"name": "[concat(parameters('keyVaultName'), '/', 'StorageSaSToken')]",
"properties": {
"value": "[listAccountSas(parameters('StorageAccountName'), '2018-07-01', parameters('accountSasProperties')).accountSasToken]"
}
}
],
"outputs": {}
}


Kindly let us know if that helps !

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @shivapatpi-MSFT , your example was useful, and pointed me in the right direction.
the problem was accountSasProperties in variables with default values...

0 Votes 0 ·