Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into gen2DiskUpdate

roygara · roygara · commit afe09142dd41 · 2019-12-03T13:57:26.000-08:00
diff --git a/articles/dev-spaces/how-to/manage-secrets.md b/articles/dev-spaces/how-to/manage-secrets.md
@@ -1,7 +1,7 @@
 ---
 title: "How to manage secrets when working with an Azure Dev Space"
 services: azure-dev-spaces
-ms.date: "05/11/2018"
+ms.date: "12/03/2019"
 ms.topic: "conceptual"
 description: "Rapid Kubernetes development with containers and microservices on Azure"
 keywords: "Docker, Kubernetes, Azure, AKS, Azure Container Service, containers"
@@ -10,7 +10,7 @@ keywords: "Docker, Kubernetes, Azure, AKS, Azure Container Service, containers"
 
 Your services might require certain passwords, connection strings, and other secrets, such as for databases or other secure Azure services. By setting the values of these secrets in configuration files, you can make them available in your code as environment variables.  These must be handled with care to avoid compromising the security of the secrets.
 
-Azure Dev Spaces provides two recommended, streamlined options for storing secrets in Helm charts generated by the Azure Dev Spaces client tooling: in the values.dev.yaml file, and inline directly in azds.yaml. It's not recommended to store secrets in values.yaml. Outside of the two approaches for Helm charts generated by the client tooling defined in this article, if you create your own Helm chart, you can use the Helm chart directly to manage and store secrets.
+Azure Dev Spaces provides two recommended, streamlined options for storing secrets in Helm charts generated by the Azure Dev Spaces client tooling: in the `values.dev.yaml` file, and inline directly in `azds.yaml`. It's not recommended to store secrets in `values.yaml`. Outside of the two approaches for Helm charts generated by the client tooling defined in this article, if you create your own Helm chart, you can use the Helm chart directly to manage and store secrets.
 
 ## Method 1: values.dev.yaml
 1. Open VS Code with your project that is enabled for Azure Dev Spaces.
@@ -56,7 +56,7 @@ Azure Dev Spaces provides two recommended, streamlined options for storing secre
 7. Make sure that you add _values.dev.yaml_ to the _.gitignore_ file to avoid committing secrets in source control.
  
  
-## Method 2: Inline directly in azds.yaml
+## Method 2: azds.yaml
 1.	In _azds.yaml_, set secrets under the yaml section configurations/develop/install. Although you can enter secret values directly there, it's not recommended because _azds.yaml_ is checked into source control. Instead, add placeholders using the "$PLACEHOLDER" syntax.
 
     ```yaml
@@ -99,6 +99,44 @@ Azure Dev Spaces provides two recommended, streamlined options for storing secre
     kubectl get secret --namespace default -o yaml
     ```
 
+## Passing secrets as build arguments
+
+The previous sections showed how to pass secrets to use at container run time. You can also pass a secret at container build time, such as a password for a private NuGet, using `azds.yaml`.
+
+In `azds.yaml`, set the build time secrets in *configurations.develop.build.args* using the `<variable name>: ${secret.<secret name>.<secret key>}` syntax. For example:
+
+```yaml
+configurations:
+  develop:
+    build:
+      dockerfile: Dockerfile.develop
+      useGitIgnore: true
+      args:
+        BUILD_CONFIGURATION: ${BUILD_CONFIGURATION:-Debug}
+        MYTOKEN: ${secret.mynugetsecret.pattoken}
+```
+
+In the above example, *mynugetsecret* is an existing secret and *pattoken* is an existing key.
+
+>[!NOTE]
+> Secret names and keys may contain the `.` character. Use `\` to escape `.` when passing secrets as build arguments. For example, to pass a secret named *foo.bar* with the key of *token*: `MYTOKEN: ${secret.foo\.bar.token}`. In addition, secrets can be evaluated with prefix and postfix text. For example, `MYURL: eus-${secret.foo\.bar.token}-version1`. Also, secrets available in parent and grandparent spaces can be passed as build arguments.
+
+In your Dockerfile, use the *ARG* directive to consume the secret, then use that same variable later in the Dockerfile. For example:
+
+```dockerfile
+...
+ARG MYTOKEN
+...
+ARG NUGET_EXTERNAL_FEED_ENDPOINTS="{'endpointCredentials': [{'endpoint':'PRIVATE_NUGET_ENDPOINT', 'password':'${MYTOKEN}'}]}"
+...
+```
+
+Update the services running in your cluster with these changes. On the command line, run the command:
+
+```
+azds up
+```
+
 ## Next steps
 
 With these methods, you can now securely connect to a database, an Azure Cache for Redis, or access secure Azure services.
diff --git a/articles/storage/blobs/storage-blob-user-delegation-sas-create-dotnet.md b/articles/storage/blobs/storage-blob-user-delegation-sas-create-dotnet.md
@@ -1,12 +1,12 @@
 ---
 title: Create a user delegation SAS for a container or blob with .NET (preview) - Azure Storage
-description: Learn how to create a user delegation SAS using Azure Active Directory credentials in Azure Storage using the .NET client library.
+description: Learn how to create a user delegation SAS (preview) using Azure Active Directory credentials in Azure Storage using the .NET client library.
 services: storage
 author: tamram
 
 ms.service: storage
 ms.topic: conceptual
-ms.date: 10/17/2019
+ms.date: 12/03/2019
 ms.author: tamram
 ms.reviewer: cbrooks
 ms.subservice: blobs
@@ -16,13 +16,13 @@ ms.subservice: blobs
 
 [!INCLUDE [storage-auth-sas-intro-include](../../../includes/storage-auth-sas-intro-include.md)]
 
-This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a container or blob with the Azure Storage client library for .NET.
+This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS (preview) for a container or blob with the Azure Storage client library for .NET.
 
 [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)]
 
-## Authenticate with the Azure Identity library (preview)
+## Authenticate with the Azure Identity library
 
-The Azure Identity client library for .NET (preview) authenticates a security principal. When your code is running in Azure, the security principal is a managed identity for Azure resources.
+The Azure Identity client library for .NET authenticates a security principal. When your code is running in Azure, the security principal is a managed identity for Azure resources.
 
 When your code is running in the development environment, authentication may be handled automatically, or it may require a browser login, depending on which tools you're using. Microsoft Visual Studio supports single sign-on (SSO), so that the active Azure AD user account is automatically used for authentication. For more information about SSO, see [Single sign-on to applications](../../active-directory/manage-apps/what-is-single-sign-on.md).
 
@@ -36,30 +36,30 @@ For more information about the Azure Identity client library, see [Azure Identit
 
 When an Azure AD security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an RBAC role that grants access to blob data in Azure Storage. For information about assigning permissions via RBAC, see the section titled **Assign RBAC roles for access rights** in [Authorize access to Azure blobs and queues using Azure Active Directory](../common/storage-auth-aad.md#assign-rbac-roles-for-access-rights).
 
-## Install the preview packages
+## Install the packages
 
-The examples in this article use the latest preview version of the [Azure Storage client library for Blob storage](https://www.nuget.org/packages/Azure.Storage.Blobs). To install the preview package, run the following command from the NuGet package manager console:
+The examples in this article use the latest version of the [Azure Storage client library for Blob storage](https://www.nuget.org/packages/Azure.Storage.Blobs). To install the package, run the following command from the NuGet package manager console:
 
 ```powershell
-Install-Package Azure.Storage.Blobs -IncludePrerelease
+Install-Package Azure.Storage.Blobs
 ```
 
-The examples in this article also use the latest preview version of the [Azure Identity client library for .NET](https://www.nuget.org/packages/Azure.Identity/) to authenticate with Azure AD credentials. To install the preview package, run the following command from the NuGet package manager console:
+The examples in this article also use the latest version of the [Azure Identity client library for .NET](https://www.nuget.org/packages/Azure.Identity/) to authenticate with Azure AD credentials. To install the package, run the following command from the NuGet package manager console:
 
 ```powershell
-Install-Package Azure.Identity -IncludePrerelease
+Install-Package Azure.Identity
 ```
 
 ## Add using directives
 
-Add the following `using` directives to your code to use the preview versions of the Azure Identity and Azure Storage client libraries.
+Add the following `using` directives to your code to use the Azure Identity and Azure Storage client libraries.
 
 ```csharp
 using System;
 using System.IO;
 using System.Threading.Tasks;
+using Azure;
 using Azure.Identity;
-using Azure.Storage;
 using Azure.Storage.Sas;
 using Azure.Storage.Blobs;
 using Azure.Storage.Blobs.Models;
@@ -72,8 +72,10 @@ To get a token credential that your code can use to authorize requests to Azure
 The following code snippet shows how to get the authenticated token credential and use it to create a service client for Blob storage:
 
 ```csharp
+// Construct the blob endpoint from the account name.
 string blobEndpoint = string.Format("https://{0}.blob.core.windows.net", accountName);
 
+// Create a new Blob service client with Azure AD credentials.
 BlobServiceClient blobClient = new BlobServiceClient(new Uri(blobEndpoint),
                                                      new DefaultAzureCredential());
 ```
@@ -92,14 +94,17 @@ Use one of the following methods to request the user delegation key:
 The following code snippet gets the user delegation key and writes out its properties:
 
 ```csharp
+// Get a user delegation key for the Blob service that's valid for seven days.
+// You can use the key to generate any number of shared access signatures over the lifetime of the key.
 UserDelegationKey key = await blobClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow,
                                                                    DateTimeOffset.UtcNow.AddDays(7));
 
+// Read the key's properties.
 Console.WriteLine("User delegation key properties:");
-Console.WriteLine("Key signed start: {0}", key.SignedStart);
-Console.WriteLine("Key signed expiry: {0}", key.SignedExpiry);
-Console.WriteLine("Key signed object ID: {0}", key.SignedOid);
-Console.WriteLine("Key signed tenant ID: {0}", key.SignedTid);
+Console.WriteLine("Key signed start: {0}", key.SignedStartsOn);
+Console.WriteLine("Key signed expiry: {0}", key.SignedExpiresOn);
+Console.WriteLine("Key signed object ID: {0}", key.SignedObjectId);
+Console.WriteLine("Key signed tenant ID: {0}", key.SignedTenantId);
 Console.WriteLine("Key signed service: {0}", key.SignedService);
 Console.WriteLine("Key signed version: {0}", key.SignedVersion);
 ```
@@ -109,18 +114,23 @@ Console.WriteLine("Key signed version: {0}", key.SignedVersion);
 The following code snippet shows create a new [BlobSasBuilder](/dotnet/api/azure.storage.sas.blobsasbuilder) and provide the parameters for the user delegation SAS. The snippet then calls the [ToSasQueryParameters](/dotnet/api/azure.storage.sas.blobsasbuilder.tosasqueryparameters) to get the SAS token string. Finally, the code builds the complete URI, including the resource address and SAS token.
 
 ```csharp
-BlobSasBuilder builder = new BlobSasBuilder()
+// Create a SAS token that's valid for one hour.
+BlobSasBuilder sasBuilder = new BlobSasBuilder()
 {
-    ContainerName = containerName,
+    BlobContainerName = containerName,
     BlobName = blobName,
-    Permissions = "r",
     Resource = "b",
-    StartTime = DateTimeOffset.UtcNow,
-    ExpiryTime = DateTimeOffset.UtcNow.AddMinutes(5)
+    StartsOn = DateTimeOffset.UtcNow,
+    ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
 };
 
+// Specify read permissions for the SAS.
+sasBuilder.SetPermissions(BlobSasPermissions.Read);
+
+// Use the key to get the SAS token.
 string sasToken = sasBuilder.ToSasQueryParameters(key, accountName).ToString();
 
+// Construct the full URI, including the SAS token.
 UriBuilder fullUri = new UriBuilder()
 {
     Scheme = "https",
@@ -145,30 +155,33 @@ async static Task<Uri> GetUserDelegationSasBlob(string accountName, string conta
                                                             new DefaultAzureCredential());
 
     // Get a user delegation key for the Blob service that's valid for seven days.
-    // Use the key to generate any number of shared access signatures over the lifetime of the key.
-    UserDelegationKey key = await blobClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow,
-                                                                       DateTimeOffset.UtcNow.AddDays(7));
+    // You can use the key to generate any number of shared access signatures over the lifetime of the key.
+    UserDelegationKey key = await blobClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow, 
+                                                                        DateTimeOffset.UtcNow.AddDays(7));
 
     // Read the key's properties.
     Console.WriteLine("User delegation key properties:");
-    Console.WriteLine("Key signed start: {0}", key.SignedStart);
-    Console.WriteLine("Key signed expiry: {0}", key.SignedExpiry);
-    Console.WriteLine("Key signed object ID: {0}", key.SignedOid);
-    Console.WriteLine("Key signed tenant ID: {0}", key.SignedTid);
+    Console.WriteLine("Key signed start: {0}", key.SignedStartsOn);
+    Console.WriteLine("Key signed expiry: {0}", key.SignedExpiresOn);
+    Console.WriteLine("Key signed object ID: {0}", key.SignedObjectId);
+    Console.WriteLine("Key signed tenant ID: {0}", key.SignedTenantId);
     Console.WriteLine("Key signed service: {0}", key.SignedService);
     Console.WriteLine("Key signed version: {0}", key.SignedVersion);
+    Console.WriteLine();
 
-    // Create a SAS token that's valid a short interval.
+    // Create a SAS token that's valid for one hour.
     BlobSasBuilder sasBuilder = new BlobSasBuilder()
     {
-        ContainerName = containerName,
+        BlobContainerName = containerName,
         BlobName = blobName,
-        Permissions = "r",
         Resource = "b",
-        StartTime = DateTimeOffset.UtcNow,
-        ExpiryTime = DateTimeOffset.UtcNow.AddMinutes(5)
+        StartsOn = DateTimeOffset.UtcNow,
+        ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
     };
 
+    // Specify read permissions for the SAS.
+    sasBuilder.SetPermissions(BlobSasPermissions.Read);
+
     // Use the key to get the SAS token.
     string sasToken = sasBuilder.ToSasQueryParameters(key, accountName).ToString();
 
@@ -182,6 +195,7 @@ async static Task<Uri> GetUserDelegationSasBlob(string accountName, string conta
     };
 
     Console.WriteLine("User delegation SAS URI: {0}", fullUri);
+    Console.WriteLine();
     return fullUri.Uri;
 }
 ```
@@ -216,7 +230,7 @@ private static async Task ReadBlobWithSasAsync(Uri sasUri)
         Console.WriteLine("Read operation succeeded for SAS {0}", sasUri);
         Console.WriteLine();
     }
-    catch (StorageRequestFailedException e)
+    catch (RequestFailedException e)
     {
         // Check for a 403 (Forbidden) error. If the SAS is invalid, 
         // Azure Storage returns this error.
diff --git a/docfx.json b/docfx.json
@@ -408,6 +408,8 @@
         "articles/backup/**/*.md": "carmonm",
         "articles/site-recovery/**/*.md": "carmonm",
         "articles/migrate/**/*.md": "carmonm",
+        "articles/virtual-machines/**/*.md": "gwallace",
+        "articles/virtual-machine-scale-sets/**/*.md": "gwallace",
         "articles/notebooks/*.md": "barbkess"
       },
       "ms.author": {
@@ -437,6 +439,10 @@
         "articles/dev-spaces/**/*.md": "zarhoads",
         "articles/site-recovery/*.md": "raynew",
         "articles/migrate/*.md": "raynew",
+        "articles/virtual-machines/linux/*.md": "cynthn",
+        "articles/virtual-machines/windows/*.md": "cynthn",
+        "articles/virtual-machines/*.md": "cynthn",
+        "articles/virtual-machines-scale-sets/*.md": "jushiman",
         "articles/notebooks/*.md": "kraigb"
       },
       "ms.service": {
@@ -460,6 +466,8 @@
         "articles/jenkins/**/*.md": "jenkins",
         "articles/terraform/**/*.md": "terraform",
         "articles/lighthouse/**/*.md": "lighthouse",
+        "articles/virtual-machines/*.md": "virtual-machines",
+        "articles/virtual-machine-scale-sets/*.md": "virtual-machine-scale-sets",
         "articles/azure-resource-manager/**/*.md": "azure-resource-manager",
         "articles/dev-spaces/**/*.md": "azure-dev-spaces",
         "articles/site-recovery/*.md": "site-recovery",
@@ -535,6 +543,10 @@
         "articles/app-service/scripts/*.yml": "Azure App Service",
         "articles/app-service/environment/*.md": "Azure App Service Environment",
         "articles/app-service/environment/*.yml": "Azure App Service Environment",
+        "articles/virtual-machines/*.md": "Azure Virtual Machines",
+        "articles/virtual-machines/*.yml": "Azure Virtual Machines",
+        "articles/virtual-machine-scale-sets/*.md": "Azure Virtual Machine Scale Sets",
+        "articles/virtual-machine-scale-sets/*.yml": "Azure Virtual Machine Scale Sets",
         "articles/app-service-mobile/**/*.md": "Azure Mobile Apps",
         "articles/app-service-mobile/**/*.yml": "Azure Mobile Apps"
       },
