Merge pull request #271672 from mumian/0409-ds-vnet

prmerger-automator[bot] · web-flow · commit 683dadc5177e · 2024-04-10T14:19:37.000Z
Add the storage account requirement for accessing vnet for deployment…
diff --git a/articles/azure-resource-manager/templates/deployment-script-template.md b/articles/azure-resource-manager/templates/deployment-script-template.md
@@ -3,7 +3,7 @@ title: Use deployment scripts in templates | Microsoft Docs
 description: Use deployment scripts in Azure Resource Manager templates.
 ms.custom: devx-track-arm-template
 ms.topic: conceptual
-ms.date: 12/12/2023
+ms.date: 04/09/2024
 ---
 
 # Use deployment scripts in ARM templates
@@ -660,7 +660,7 @@ The identity that your deployment script uses needs to be authorized to work wit
 With Microsoft.Resources/deploymentScripts version 2023-08-01, you can run deployment scripts in private networks with some additional configurations.
 
 - Create a user-assigned managed identity, and specify it in the `identity` property. To assign the identity, see [Identity](#identity).
-- Create a storage account, and specify the deployment script to use the existing storage account. To specify an existing storage account, see [Use existing storage account](#use-existing-storage-account). Some additional configuration is required for the storage account.
+- Create a storage account with [`allowSharedKeyAccess`](/azure/templates/microsoft.storage/storageaccounts) set to `true` , and specify the deployment script to use the existing storage account. To specify an existing storage account, see [Use existing storage account](#use-existing-storage-account). Some additional configuration is required for the storage account.
 
     1. Open the storage account in the [Azure portal](https://portal.azure.com).
     1. From the left menu, select **Access Control (IAM)**, and then select the **Role assignments** tab.
@@ -708,7 +708,7 @@ The following ARM template shows how to configure the environment for running a
   "resources": [
     {
       "type": "Microsoft.Network/virtualNetworks",
-      "apiVersion": "2023-05-01",
+      "apiVersion": "2023-09-01",
       "name": "[parameters('vnetName')]",
       "location": "[parameters('location')]",
       "properties": {
@@ -761,15 +761,16 @@ The following ARM template shows how to configure the environment for running a
             }
           ],
           "defaultAction": "Deny"
-        }
+        },
+        "allowSharedKeyAccess": true
       },
       "dependsOn": [
         "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName'))]"
       ]
     },
     {
       "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
-      "apiVersion": "2023-01-31",
+      "apiVersion": "2023-07-31-preview",
       "name": "[parameters('userAssignedIdentityName')]",
       "location": "[parameters('location')]"
     },
@@ -779,7 +780,7 @@ The following ARM template shows how to configure the environment for running a
       "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]",
       "name": "[guid(tenantResourceId('Microsoft.Authorization/roleDefinitions', '69566ab7-960f-475b-8e7c-b3118f30c6bd'), resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName')), resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')))]",
       "properties": {
-        "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName')), '2023-01-31').principalId]",
+        "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName')), '2023-07-31-preview').principalId]",
         "roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', '69566ab7-960f-475b-8e7c-b3118f30c6bd')]",
         "principalType": "ServicePrincipal"
       },
