In the previous example, the PowerShell script was available for download by anyone who possessed its URL. This is not an ideal situation from a security standpoint. The scripts should only be accessible and downloadable by authorized users. Fortunately, the content of an Azure Storage account can be protected by changing its access policy from anonymous access to private access. In such a case, a special token is needed to access the contents of the storage container, as shown in the following screenshot:
An SAS token can be generated for any storage account with the necessary permissions for a particular time period, and can also be used in ARM templates to download Custom Script Extensions and PowerShell scripts, as shown in the following screenshot:
The code file WindowsVirtualMachine-Protected.json shows the usage of an SAS token within the CustomScriptExtension resource.
The only difference between this example and the previous example is the use of an SAS token to access the PowerShell script stored in a protected Azure storage account, as shown in the following snippet:
{
"name": "firstCustomScriptExtension",
"type": "extensions",
"location": "[resourceGroup().location]",
"apiVersion": "2016-03-30",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]"
],
"tags": {
"displayName": "firstCustomScriptExtension"
},
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
"typeHandlerVersion": "1.4",
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"[concat(parameters('storageAccountName'), '/', variables('firstCustomScriptExtensionScriptStorageContainer'), '/', variables('firstCustomScriptExtensionScriptFileName'), parameters('_artifactsLocationSasToken'))]"
],
"commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -File ', variables('firstCustomScriptExtensionScriptFileName'), ' -featureName web-server -serviceName w3svc')]"
}
}
}