Secure code execution via ARM template and Azure Container Instances

view gist on github

December 15, 2018
gist

Secure code execution via ARM template and Azure Container Instances

What is this?

It’s a template to execute authenticated az commands from an ARM template deployment, without storing or passing credentials of any kind

Why did you make it?

I was recently looking to move my blog from Azure Web Apps to a static site hosted on Azure Storage.

I wanted to have an ARM template so I can stand up other sites / use as a reference, etc. Unfortunately, enabling the static website feature on Azure Storage is currently a data-plane operation, and ARM templates only execute against the data plane.

How does it work?

The template creates

  • A Managed Identity, which I can use with some services to eliminate the need for Service Principals & passwords
  • A Role Assignment so that the Identity can take actions in my resource group
  • An Azure Storage account that I’ll use to deploy a static website on
  • An Azure Container Instance that runs my bootstrap commands - here using the azure-cli

To deploy, run the following 2 commands

az group create -n website -l westus
az group deployment create -g website --template-file azuredeploy.json --parameters baseName=mystorageaccount

Next steps

It seems to make sense to move the script out of the inline template - it’s hard to read - might eventually hit some string lenght limits (I haven’t checked or tested this yet). I could mount a GitRepo volume and pin to a specific commit here

To use with other non-Azure services, I’d replace the az storage blob commands and instead use az keyvault secret show to download a secret from a preexisting Key Vault. There’s a little bit more work in precreating the Identity outside of this template, making sure it’s in the KV accessPolicies, and then pass the Idenitity as a parameter to the template - but the flow is logically the same. Once you have a secret from Key Vault, use it to run whatever script(s) you need, and then when the container is finished, the secret vanishes with it!

azuredeploy.json