Secure code execution via ARM template and Azure Container Instances
What is this?
It’s a template to execute authenticated
az commands from an ARM template deployment, without storing or passing credentials of any kind
Why did you make it?
I was recently looking to move my blog from Azure Web Apps to a static site hosted on Azure Storage.
I wanted to have an ARM template so I can stand up other sites / use as a reference, etc. Unfortunately, enabling the static website feature on Azure Storage is currently a data-plane operation, and ARM templates only execute against the data plane.
How does it work?
The template creates
- A Managed Identity, which I can use with some services to eliminate the need for Service Principals & passwords
- A Role Assignment so that the Identity can take actions in my resource group
- An Azure Storage account that I’ll use to deploy a static website on
- An Azure Container Instance that runs my bootstrap commands - here using the azure-cli
To deploy, run the following 2 commands
az group create -n website -l westus az group deployment create -g website --template-file azuredeploy.json --parameters baseName=mystorageaccount
It seems to make sense to move the script out of the inline template - it’s hard to read - might eventually hit some string lenght limits (I haven’t checked or tested this yet). I could mount a GitRepo volume and pin to a specific commit here
To use with other non-Azure services, I’d replace the
az storage blob commands and instead use
az keyvault secret show to download a secret from a preexisting Key Vault. There’s a little bit more work in precreating the Identity outside of this template, making sure it’s in the KV accessPolicies, and then pass the Idenitity as a parameter to the template - but the flow is logically the same. Once you have a secret from Key Vault, use it to run whatever script(s) you need, and then when the container is finished, the secret vanishes with it!