Issue with SAS Token
Closed this issue · 3 comments
Describe the bug
I am having an issue when trying to use a sas_token for both the kustomize deployment yaml and the az aks kollect ... --sas-token
Another Question. Is it possible to have the blob storage be on different resource group and/or subscription-id from the cluster that it is collect information from?
To Reproduce
Above is the sas token that I have in the yaml as well as when I use it in az aks kollect.
after applying the yaml
I see that the pods are running for namespace aks-periscope
checking the logs on the win pod I see this issue
If I run az aks kollect with just the resource-group account-name and storage-account I do not encounter the auth issue.
Expected behavior
Screenshots
Desktop (please complete the following information):
Using windows 2019
periscope tag 0.0.11 (Can't download 0.0.12 from mcr)
Hi @sumicalbin - it should be possible to use a different subscription or resource group (at least with kustomize deployment, and I think with kollect too).
I can't see anything obviously wrong with the SAS. How're you generating it? I'm wondering if there's something wrong with the way we're building the URL from the account name and SAS. Could you try generating an account-level SAS from the Azure portal, like this:
...and then check the 'Blob Service SAS URL' field? Does the domain match that of the PUT URL that's failing in your screenshot with the authentication error?
Hi @peterbom, Thank you for the screenshot! I was creating the sas-token with azure cli az storage container generate-sas not sure what the problem was. This worked!
❤️🙏 Thank you so much @sumicalbin and @peterbom for collaborations around this, also in case there is any azurecli bug in place we could open one against the azure-cli for investigation, I am closing this issue for now, please loop back if anyone thinks otherwise. Thanks heaps.