From fda209887337cac32fd8b24f05b4582a67b53a46 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Tue, 18 Jun 2024 18:40:22 -0700 Subject: [PATCH] Use AzureCLI task to download blob (#7310) The nested test pipelines (ISA-95 smoke tests, Nested end-to-end tests, Connectivity tests) download a blob and use its contents as the basis for some cert operations related to IoT Edge. It seems like we should be generating these files at runtime, but for now we simply need to be able to access the blob storage account without using shared keys. This change embeds the `az storage blob download ...` command in the AzureCLI task so it has access to an identity via the service connection. Then it updates the command to authenticate using the available identity, rather than using a SAS token. To test, I disabled shared key access on the storage account, then I ran the ISA-95 smoke tests and confirmed that they're able to download the blob (and the tests pass). ## Azure IoT Edge PR checklist: --- builds/e2e/templates/nested-get-root-ca.yaml | 12 +++++++----- builds/e2e/templates/nested-get-secrets.yaml | 1 - 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/builds/e2e/templates/nested-get-root-ca.yaml b/builds/e2e/templates/nested-get-root-ca.yaml index d0dd93ec2cf..04bcdbccce2 100644 --- a/builds/e2e/templates/nested-get-root-ca.yaml +++ b/builds/e2e/templates/nested-get-root-ca.yaml @@ -1,11 +1,13 @@ steps: - - task: Bash@3 - displayName: 'Get rootCA' + - task: AzureCLI@2 condition: or(eq(variables['run.flag'], ''), eq(variables['run.flag'], 1)) + displayName: 'Get rootCA' inputs: - targetType: inline - script: | - az storage blob download --file rootCA.tar.bz2 --container-name test-certificates --name test-certs.tar.bz2 --connection-string "$(edgebuild-blob-core-connection-string)" + azureSubscription: 'IoTEdge1-msazure' + scriptType: 'bash' + scriptLocation: 'inlineScript' + inlineScript: | + az storage blob download --auth-mode login --blob-url 'https://edgebuild.blob.core.windows.net/test-certificates/test-certs.tar.bz2' --file rootCA.tar.bz2 tar -xjvf rootCA.tar.bz2 #delete previous certs. diff --git a/builds/e2e/templates/nested-get-secrets.yaml b/builds/e2e/templates/nested-get-secrets.yaml index 067b306e0dc..a73090e7ace 100644 --- a/builds/e2e/templates/nested-get-secrets.yaml +++ b/builds/e2e/templates/nested-get-secrets.yaml @@ -13,7 +13,6 @@ steps: EdgeConnectivityStorageAccountConnString, EdgeLonghaulStorageAccountConnString, GitHubAccessToken, - edgebuild-blob-core-connection-string, edgebuild-service-principal-secret, - task: AzureKeyVault@1