自动将App Service诊断日志记录到存储

Question

I'm trying to automate the process of configuring Azure App Service to export diagnostic logs to Azure Storage, but I'm running into something I don't quite understand. I can take the following steps to get it working.

1. I configure diagnostic logging in the Azure Portal, according to the documentation . Everything looks good. I can see the logs being populated in the storage containers.

2. Using Azure Resource Explorer , I navigate to the config/logs resource and observe the JSON:

    "applicationLogs": { ... "azureBlobStorage": { "level": "Information", "sasUrl": "https://<storagename>.blob.core.windows.net/<container>?sv=YYYY-MM-DD&sr=c&sig=<sig>&st=YYYY-MM-DDTHH:MM:SSZ&se=YYYY-MM-DDTHH:MM:SSZ&sp=rwdl", "retentionInDays": null } }, "httpLogs": { ... "azureBlobStorage": { "sasUrl": "https://<storagename>.blob.core.windows.net/<container>?sv=YYYY-MM-DD&sr=c&sig=<sig>&st=YYYY-MM-DDTHH:MM:SSZ&se=YYYY-MM-DDTHH:MM:SSZ&sp=rwdl", "retentionInDays": null, "enabled": true } }, 

3. I can then hard-code the sasUrl values in an ARM template with a config/logs resource, and everything still works. I can verify this by first deleting the storage containers and disabling diagnostic logs, then redeploying the ARM template.

After getting that working, I attempt to use the ARM template function listAccountSas to generate a new SAS for the storage resource. However, the resulting SAS has a slightly different format than the one I obtained from Azure Resource Explorer: sv=YYYY-MM-DD&ss=b&srt=s&sp=rwdl&st=YYYY-MM-DDTHH%3AMM%3ASS.0000000Z&se=YYYY-MM-DDTHH%3AMM%3ASS.0000000Z&spr=https&sig=<sig> .

So what's going on here. How is the portal generating the SAS? Is the listAccountSas function generating a token that will work in its place? Is there even a way to automate this configuration?

Answer 1

As far I known, the ARM template function listAccountSas only can list value, it can't create new vaule.And you can't create a sasToken within the template. I suggest you use Powershell to create a sasToken, store it in Azure KeyVault, and refer that KeyVault secret in the template. Regarding how to use cert in the template, please refer to the document .

$name = "your account"
$password = "your password"
$RGname = "your resource group name"
$accountNmae  ="your Storage Account name"
$containerNmae ="your container name"
$keyvaultNmae ="your Key Vault name"
$certName = "your cert name"
$location = ""

# login Azure 
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Add-AzureRmAccount -Credential $mycreds

#create Azure storage SAS URL
$account = Get-AzureRmStorageAccount -ResourceGroupName $RGname  -Name $accountNmae
$SASURL = New-AzureStorageContainerSASToken -Container $containerNmae -Context $account.Context -Permission rwdl -ExpiryTime (Get-Date).AddYears(1) -FullUri

#create key vault
New-AzureRmKeyVault -VaultName $keyVaultName -resourceGroupName $RGname -Location $location -EnabledForTemplateDeployment
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -UserPrincipalName $name -PermissionsToSecrets set,delete,get,list

#create cert
$secretvalue = ConvertTo-SecureString $SASURL -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $keyvaultNmae -Name "test" -SecretValue $secretvalue