Skip to content

Commit b43b9f8

Browse files
MutemwaRMashekeMutemwaRMasheke
authored
Update 5-access-package.md
1 parent 762fdfc commit b43b9f8

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

articles/governance/machine-configuration/how-to/develop-custom-package/5-access-package.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ ms.custom: devx-track-azurepowershell
88

99
# How to provide secure access to custom machine configuration packages
1010
This page provides a guide on how to provide access to Machine Configuration packages stored in Azure storage by using the resource ID of a user-assigned managed identity or a Shared Access Signature (SAS) token.
11+
1112
## Prerequisites
1213
- Azure subscription
1314
- Azure Storage account with the Machine Configuration package
@@ -18,7 +19,7 @@ This page provides a guide on how to provide access to Machine Configuration pac
1819
> [!IMPORTANT]
1920
> Please note that, unlike Azure VMs, Arc-connected machines currently do not support User-Assigned Managed Identities.
2021
21-
You can grant private access to a machine configuration package in an Azure Storage blob by assigning a User-Assigned Identity to a scope of Azure VMs that you wish to apply the package to. For this to work, you need to grant the managed identity read access to the Azure storage blob. This involves assigning the “Storage Blob Data Reader” role to the identity at the scope of the blob container. This setup ensures that your Azure VMs can securely read from the specified blob container using the user-assigned managed identity.
22+
You can grant private access to a machine configuration package in an Azure Storage blob by assigning a [User-Assigned Identity][01] to a scope of Azure VMs that you wish to apply the package to. For this to work, you need to grant the managed identity read access to the Azure storage blob. This involves assigning the “Storage Blob Data Reader” role to the identity at the scope of the blob container. This setup ensures that your Azure VMs can securely read from the specified blob container using the user-assigned managed identity. You can assign a User Assigned Identity at scale in your server fleet using Azure Policy, learn more [here][02].
2223

2324
### Using a SAS Token
2425
While this next step is optional, you should add a shared access signature (SAS) token in the URL to ensure secure access to the package. The below example generates a blob SAS token with read access and returns the full blob URI with the shared access signature token. In this example, the token has a time limit of three years.
@@ -46,5 +47,7 @@ By using the resource ID of a user-assigned managed identity or SAS token, you c
4647
- After creating the policy definition, you can assign it to the appropriate scope (e.g., management group, subscription, resource group) within your Azure environment.
4748
- Remember to monitor the policy compliance status and make any necessary adjustments to your Machine Configuration package or policy assignment to meet your organizational requirements.
4849

49-
50+
<!-- Reference link definitions -->
51+
[01]: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations#using-user-assigned-identities-to-reduce-administration
52+
[02]: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-assign-managed-identity-via-azure-policy
5053

0 commit comments

Comments
 (0)