[英]Automate App Service diagnostic logging to Storage
I'm trying to automate the process of configuring Azure App Service to export diagnostic logs to Azure Storage, but I'm running into something I don't quite understand. 我正在尝试自动化配置Azure应用服务以将诊断日志导出到Azure存储的过程,但是遇到了我不太了解的问题。 I can take the following steps to get it working.
我可以按照以下步骤操作。
Using Azure Resource Explorer , I navigate to the config/logs
resource and observe the JSON: 使用Azure Resource Explorer ,我导航到
config/logs
资源并观察JSON:
"applicationLogs": { ... "azureBlobStorage": { "level": "Information", "sasUrl": "https://<storagename>.blob.core.windows.net/<container>?sv=YYYY-MM-DD&sr=c&sig=<sig>&st=YYYY-MM-DDTHH:MM:SSZ&se=YYYY-MM-DDTHH:MM:SSZ&sp=rwdl", "retentionInDays": null } }, "httpLogs": { ... "azureBlobStorage": { "sasUrl": "https://<storagename>.blob.core.windows.net/<container>?sv=YYYY-MM-DD&sr=c&sig=<sig>&st=YYYY-MM-DDTHH:MM:SSZ&se=YYYY-MM-DDTHH:MM:SSZ&sp=rwdl", "retentionInDays": null, "enabled": true } },
sasUrl
values in an ARM template with a config/logs
resource, and everything still works. config/logs
资源在sasUrl
模板中对sasUrl
值进行硬编码,并且一切仍然可以进行。 I can verify this by first deleting the storage containers and disabling diagnostic logs, then redeploying the ARM template. After getting that working, I attempt to use the ARM template function listAccountSas
to generate a new SAS for the storage resource. 在完成该工作之后,我尝试使用ARM模板函数
listAccountSas
为存储资源生成一个新的SAS。 However, the resulting SAS has a slightly different format than the one I obtained from Azure Resource Explorer: sv=YYYY-MM-DD&ss=b&srt=s&sp=rwdl&st=YYYY-MM-DDTHH%3AMM%3ASS.0000000Z&se=YYYY-MM-DDTHH%3AMM%3ASS.0000000Z&spr=https&sig=<sig>
. 但是,生成的SAS格式与我从Azure资源浏览器获得的格式略有不同:
sv=YYYY-MM-DD&ss=b&srt=s&sp=rwdl&st=YYYY-MM-DDTHH%3AMM%3ASS.0000000Z&se=YYYY-MM-DDTHH%3AMM%3ASS.0000000Z&spr=https&sig=<sig>
。
So what's going on here. 所以这是怎么回事。 How is the portal generating the SAS?
门户如何生成SAS? Is the
listAccountSas
function generating a token that will work in its place? listAccountSas
函数是否listAccountSas
生成将在其位置工作的令牌? Is there even a way to automate this configuration? 甚至有一种方法可以自动执行此配置?
As far I known, the ARM template function listAccountSas only can list value, it can't create new vaule.And you can't create a sasToken within the template. 据我所知,ARM模板函数listAccountSas仅可以列出值,不能创建新值,也不能在模板内创建sasToken。 I suggest you use Powershell to create a sasToken, store it in Azure KeyVault, and refer that KeyVault secret in the template.
我建议您使用Powershell创建一个sasToken,将其存储在Azure KeyVault中,然后在模板中引用该KeyVault机密。 Regarding how to use cert in the template, please refer to the document .
关于如何在模板中使用证书,请参考文档 。
$name = "your account"
$password = "your password"
$RGname = "your resource group name"
$accountNmae ="your Storage Account name"
$containerNmae ="your container name"
$keyvaultNmae ="your Key Vault name"
$certName = "your cert name"
$location = ""
# login Azure
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Add-AzureRmAccount -Credential $mycreds
#create Azure storage SAS URL
$account = Get-AzureRmStorageAccount -ResourceGroupName $RGname -Name $accountNmae
$SASURL = New-AzureStorageContainerSASToken -Container $containerNmae -Context $account.Context -Permission rwdl -ExpiryTime (Get-Date).AddYears(1) -FullUri
#create key vault
New-AzureRmKeyVault -VaultName $keyVaultName -resourceGroupName $RGname -Location $location -EnabledForTemplateDeployment
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -UserPrincipalName $name -PermissionsToSecrets set,delete,get,list
#create cert
$secretvalue = ConvertTo-SecureString $SASURL -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $keyvaultNmae -Name "test" -SecretValue $secretvalue
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.