You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/machine-configuration/how-to/develop-custom-package/5-access-package.md
+2-34Lines changed: 2 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,42 +15,10 @@ This page provides a guide on how to provide access to Machine Configuration pac
15
15
## Steps to provide access to the package
16
16
### Using a User Assigned Identity
17
17
18
-
**1. Obtain a User-Assigned Managed Identity:**
19
18
> [!IMPORTANT]
20
-
> Please note that, unlike Azure VMs, Arc-connected machines currently do not support UserAssigned Managed Identities.
19
+
> Please note that, unlike Azure VMs, Arc-connected machines currently do not support User-Assigned Managed Identities.
21
20
22
-
To start, you need to obtain the existing resourceId a user-assigned managed identity or create a new. This identity will be used by your VMs to access the Azure storage blob. The following PowerShell command creates a new user-assigned managed identity in the specified resource group:
**2. Assign the Managed Identity to Your Azure VMs:**
32
-
Next, you need to assign the created managed identity to your VMs. This allows the VMs to use the identity for accessing resources. The following command retrieves the VM and assigns the user-assigned identity to it:
**3. Grant the Managed Identity Access to the Blob Storage:**
39
-
Now, you need to grant the managed identity read access to the Azure storage blob. This involves assigning the “Storage Blob Data Reader” role to the identity at the scope of the blob container. The following commands retrieve the storage account and create the role assignment:
New-AzRoleAssignment -ObjectId $identity.PrincipalId -RoleDefinitionName "Storage Blob Data Reader" -Scope $scope
44
-
```
45
-
46
-
**4. Access the Blob Storage from the VMs:**
47
-
Finally, from within your VM, you can use the managed identity to access the blob storage. The following commands create a storage context using the connected account and retrieve the blob from the specified container:
This setup ensures that your Azure VMs can securely read from the specified blob container using the user-assigned managed identity.
21
+
You can grant private access to a machine configuration package in an Azure Storage blob by assigning a User-Assigned Identity to a scope of Azure VMs that you wish to apply the package to. For this to work, you need to grant the managed identity read access to the Azure storage blob. This involves assigning the “Storage Blob Data Reader” role to the identity at the scope of the blob container. This setup ensures that your Azure VMs can securely read from the specified blob container using the user-assigned managed identity.
54
22
55
23
### Using a SAS Token
56
24
While this next step is optional, you should add a shared access signature (SAS) token in the URL to ensure secure access to the package. The below example generates a blob SAS token with read access and returns the full blob URI with the shared access signature token. In this example, the token has a time limit of three years.
0 commit comments