Deployment in locked down environment #30
Description
Describe the bug
I'm trying to create the images with Azure Image Builder with the following guide Creating images with the Azure Image Builder in an Azure environment 'locked' down with Azure Policies. One of the Azure Policies prohibits the deployment of Azure Storage Accounts with a public network access. Public network access must be disabled for PaaS services.
To conform to these Azure Policies I configured the Azure environment as follows.
- Azure VM Image Builder networking using an existing VNet
- Azure Storage Account being used by Azure VM Image Builder with virtual network rule to allow access from VNet Subnet (configured in Azure VM Image Builder)
- During pipeline deployment of DevOps-Self-Hosted - Create images with Azure Image Builder adding IP address of Microsoft Hosted Build Agent to allowed IP addresses on the Firewall of the Azure Storage Account used by Image Builder. This enables the upload of the files to storage account.
Even after above configurations I get the following error message during the Deploy Resources Azure DevOps Job with the task name "Deploy [imageTemplate.deploy.bicep] via service connection [Service Connection]"
- Not authorized to access the resource: https://<name of the storage account>.blob.core.windows.net/aibscripts/LinuxInstallPowerShell.sh?[REDACTED] Please check the user assigned identity has the correct permissions. For more details, go to https://aka.ms/azvmimagebuilderts. (Code:Unauthorized)
I checked the permissions of the deployed MSI (aibMSI) and it has Contributor permissions on the scope of the Azure Subscription.
High Level Architecture
Resource Group where the Azure Image Builder Resources are being deployed:
Resource Group with VNet and Subnet:
What do I need to do to get this resolved?
Stefan [MSFT]