Secure code execution via ARM template and Azure Container Instances

Β· 339 words Β· 2 minute read
view gist on GitHub

Secure code execution via ARM template and Azure Container Instances πŸ”—

What is this? πŸ”—

It’s a template to execute authenticated az commands from an ARM template deployment, without storing or passing credentials of any kind

Why did you make it? πŸ”—

I was recently looking to move my blog from Azure Web Apps to a static site hosted on Azure Storage.

I wanted to have an ARM template so I can stand up other sites / use as a reference, etc. Unfortunately, enabling the static website feature on Azure Storage is currently a data-plane operation, and ARM templates only execute against the data plane.

How does it work? πŸ”—

The template creates

  • A Managed Identity, which I can use with some services to eliminate the need for Service Principals & passwords
  • A Role Assignment so that the Identity can take actions in my resource group
  • An Azure Storage account that I’ll use to deploy a static website on
  • An Azure Container Instance that runs my bootstrap commands - here using the azure-cli

To deploy, run the following 2 commands

az group create -n website -l westus
az group deployment create -g website --template-file azuredeploy.json --parameters baseName=mystorageaccount

Next steps πŸ”—

It seems to make sense to move the script out of the inline template - it’s hard to read - might eventually hit some string lenght limits (I haven’t checked or tested this yet). I could mount a GitRepo volume and pin to a specific commit here

To use with other non-Azure services, I’d replace the az storage blob commands and instead use az keyvault secret show to download a secret from a preexisting Key Vault. There’s a little bit more work in precreating the Identity outside of this template, making sure it’s in the KV accessPolicies, and then pass the Idenitity as a parameter to the template - but the flow is logically the same. Once you have a secret from Key Vault, use it to run whatever script(s) you need, and then when the container is finished, the secret vanishes with it!

azuredeploy.json