Azure · fahlmant · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025
@@ -143,5 +143,5 @@ func deploy(ctx context.Context, log *logrus.Entry) error {
 
 	// Must be last step so we can be sure there are no RPs at older versions
 	// still serving
-	return deployer.SaveVersion(ctx)
+	return deployer.SaveVersion(ctx, tokenCredential)
 }
@@ -36,7 +36,7 @@ type Deployer interface {
 	DeployGateway(context.Context) error
 	UpgradeRP(context.Context) error
 	UpgradeGateway(context.Context) error
-	SaveVersion(context.Context) error
+	SaveVersion(context.Context, azcore.TokenCredential) error
 }
 
 type deployer struct {

@@ -1525,6 +1525,7 @@ func (g *generator) rpVersionStorageAccount() []*arm.Resource {
 			&mgmtstorage.AccountProperties{
 				AllowBlobPublicAccess: to.BoolPtr(false),
 				MinimumTLSVersion:     mgmtstorage.MinimumTLSVersionTLS12,
+				AllowSharedKeyAccess:  to.BoolPtr(false),
 			},
 			map[string]*string{},
 		),
@@ -1535,5 +1536,12 @@ func (g *generator) rpVersionStorageAccount() []*arm.Resource {
 			storageAccountName,
 			fmt.Sprintf("concat(%s, '/Microsoft.Authorization/', guid(resourceId('%s', %s)))", storageAccountName, resourceTypeStorageAccount, storageAccountName),
 		),
+		rbac.ResourceRoleAssignmentWithName(
+			rbac.RoleStorageBlobDataContributor,
+			"parameters('globalDevopsServicePrincipalId')",
+			resourceTypeStorageAccount,
+			storageAccountName,
+			fmt.Sprintf("concat(%s, '/Microsoft.Authorization/', guid(resourceId('%s', %s)))", storageAccountName, resourceTypeStorageAccount, storageAccountName),
+		),
 	}
 }
@@ -6,36 +6,21 @@ package deploy
 import (
 	"context"
 	"fmt"
-	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
-	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
-	"github.com/Azure/go-autorest/autorest/date"
 
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azblob"
 	"github.com/Azure/ARO-RP/pkg/util/pointerutils"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 )
 
 // SaveVersion for current location in shared storage account for environment
-func (d *deployer) SaveVersion(ctx context.Context) error {
+func (d *deployer) SaveVersion(ctx context.Context, tokenCredential azcore.TokenCredential) error {
 	d.log.Printf("saving RP version %s deployed in %s to storage account %s", d.version, d.config.Location, *d.config.Configuration.RPVersionStorageAccountName)
-	t := time.Now().UTC().Truncate(time.Second)
-	res, err := d.globalaccounts.ListAccountSAS(
-		ctx, *d.config.Configuration.GlobalResourceGroupName, *d.config.Configuration.RPVersionStorageAccountName, mgmtstorage.AccountSasParameters{
-			Services:               mgmtstorage.ServicesB,
-			ResourceTypes:          mgmtstorage.SignedResourceTypesO + mgmtstorage.SignedResourceTypesS,
-			Permissions:            mgmtstorage.PermissionsC + mgmtstorage.PermissionsW, // create and write
-			Protocols:              mgmtstorage.HTTPProtocolHTTPS,
-			SharedAccessStartTime:  &date.Time{Time: t},
-			SharedAccessExpiryTime: &date.Time{Time: t.Add(24 * time.Hour)},
-		})
-	if err != nil {
-		return err
-	}
 
 	d.log.Infof("instantiating blobs client using SAS token")
-	sasUrl := fmt.Sprintf("https://%s.blob.%s/?%s", *d.config.Configuration.RPVersionStorageAccountName, d.env.Environment().StorageEndpointSuffix, *res.AccountSasToken)
-	blobsClient, err := azblob.NewBlobsClientUsingSAS(sasUrl, d.env.Environment().ArmClientOptions())
+	serviceUrl := fmt.Sprintf("https://%s.blob.%s", *d.config.Configuration.RPVersionStorageAccountName, d.env.Environment().StorageEndpointSuffix)
+	blobsClient, err := azblob.NewBlobsClientUsingEntra(serviceUrl, tokenCredential, d.env.Environment().ArmClientOptions())
 	if err != nil {
 		d.log.Errorf("failure to instantiate blobs client using SAS: %v", err)
 		return err