azure-vm-agents-plugin
azure-vm-agents-plugin copied to clipboard
Published
20 hours ago •
jenkinsci
jenkinsci
Cannot use storage account if "Allow storage account key access" is disabled
Jenkins and plugins versions report
Environment
Azure VM Agents Version 883.v63c930b_025dc
Azure SDK API Plugin Version 132.v62b_48eb_6f32f
Azure Credentials Version 293.vb_d506148f506
What Operating System are you using (both controller, and any agents involved in the problem)?
Controller runs in Docker on linux, agents are configured to use windows
Reproduction steps
- Create a VM template using an existing storage account which has "Allow storage account key access" set to disabled
- Start a pipeline using a node with a matching label
Expected Results
A VM is created. A container named "jenkinsconfig" should be visible in the storage account containers.
Actual Results
The provisionning of the VM fails with:
com.azure.storage.blob.models.BlobStorageException: If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call.
If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call.
Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII.
Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>KeyBasedAuthenticationNotPermitted</Code><Message>Key based authentication is not permitted on this storage account.
Anything else?
The documentation does not specify if Shared Access Keys are required for the plugin. The plugin uses a role which has appropriate RBAC permissions but the plugin does not seem to use it, only shared access keys. Is there a way to configure it to use RBAC instead?
