Let's Share

My personal place to share knowledge about Sitecore, Powershell, Amazon Web Services and .NET

Sitecore on Azure - SAS Token

posted by Robert Senktas   | 03-07-2017

My posts about Sitecore on Azure

Some time ago I started an adventure with Sitecore Azure Toolkit. Here is a list of my posts about Siteore on Azure:
1. How to setup automatic login to Azure account
2. Sitecore on Azure - X0 instance costs

Sitecore on Azure

If we want to deploy a new Sitecore environment to the Azure App Service we have to do several steps descibed in Sitecore documentation. The detailed description how to use the Sitecore Azure Toolkit is descibed in documentation mentionet erlier. In my post I will focus on how to improve a little default deployment process and add some automation becaouse I'm @RobsonAutomator :).
The Azure Resource Manager (ARM) requires that WebDeploy packages (WDPs) containing the application code and resources are available for download over the Internet. Additionaly also ARM templates must be avaliable for download over the internet. Only the main template and parameters file can be located on you local machine or server. Any nested templates used by the master template must be uploded be avaliable for download over the internet. One option to host WDPs and ARMs is to create a Microsoft Azure® storage account. How to create a Microsoft Azure storage account is described in documentation. In my case I have a blob storage account with a two containers - sitecore-deploy and sitecore-wdp Azure Storage Containers

I have uploaded ARMs templates to sitecore-deploy container and WDPs to the sitecore-wdp container. Azure ARM templates

Azure WDP packages
Ok, my local environment is almost ready, ARMs and WDPs are uploaded to Azure Storage. I have also installed MongoDB in the cloud.
Now I have to only configure some parameters in azuredeploy.parameters.json. I skip the part regarding password, deploymentid and so on. I will focus on how to provide SAS token during deployment.

How to use shared access signatures (SAS) in an automated way

What is a shared access signature?

A shared access signature provides delegated access to resources in your storage account. With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. This is the key point of using shared access signatures in your applications--a SAS is a secure way to share your storage resources without compromising your account keys.

Where excacly we should use SAS tokens ? Generally in two places
- to allow access from master template to nested/linked templates
- to allow access to WDPs.
If I look into azuredeploy.json file there is a parameter templateLinkAccessToken. I need assign SAS token to the container that contains ARM templates. I can do this by run the following Powershell command:

$storage = '<StorageAccountName>'
$resource = '<ResourceGroupName>'
$location = '<DataCenterLocation>'
$account = Get-AzureRmStorageAccount -ResourceGroupName $resource -Name $storage
# Gets SAS token to give access from master template to linked/nested templates
$templatelinkAccessToken = New-AzureStorageContainerSASToken 'sitecore-deploy' `
                            -Permission r `
                            -StartTime (Get-Date) `
                            -ExpiryTime (Get-Date).AddHours(1) `
                            -Context $account.Context `

In above example I will ask Azure to give me a SAS token to container 'sitecore-deploy' located on my storage account $storage.
I need only readonly access rights -Permission 'r', and token shall expired after one hour from now. This token will be assiged to $templatelinkAccessToken variable. How pass this variable to deployment script I will show later.

Now I need to get URI to my master tempate azuredeploy.json that is located on the container 'sitecore-deploy'.
Please note that now I need the full URI not only SAS token, and I need access to the one file not the whole container.
I use a different function AzureStorageBlobSASToken and parameter -FullUri

# Gets full URI with SAS token to master ARM template
$templateUri = New-AzureStorageBlobSASToken -Container 'sitecore-deploy' `
                            -Blob 'xp0/azuredeploy.json' `
                            -Permission r `
                            -StartTime (Get-Date) `
                            -ExpiryTime (Get-Date).AddHours(1) `
                            -Context $account.Context `

At the end I need URI to one or more WDP packages:

# Gets full URI to WDP package
$singleMsDeployPackageUrl = New-AzureStorageBlobSASToken -Container 'sitecore-wdp' `
                            -Blob 'xp0/Sitecore 8.2 rev. 170407_single.scwdp.zip' `
                            -Permission r `
                            -StartTime (Get-Date) `
                            -ExpiryTime (Get-Date).AddHours(1) `
                            -Context $account.Context `

And pass all the parameters to the Sitecore deployment script:

#Pass URLs to Sitecore deployment script
$setKeyValue = @{
                            templatelinkAccessToken = $templatelinkAccessToken;
                            singleMsDeployPackageUrl = $singleMsDeployPackageUrl;
Start-SitecoreAzureDeployment -Location $location `
                            -Name "sitecore82-170407" `
                            -ArmTemplateUrl $templateUri `
                            -ArmParametersPath "C:\SitecoreInstall\Azure\xp0\azuredeploy.parameters.json" `
                            -LicenseXmlPath "C:\SitecoreInstall\Azure\license.xml" `
                            -SetKeyValue $SetKeyValue `

The full code snippet:

Previous post Sitecore on Azure - costs

Sitecore SAS Azure
This is a personal blog. All opinions here are my own opinions and do not represent my employer’s view in anyway.

Sitecore Automation Module