I am trying to generate a SAS token from an ARM template, to allow my template to subsequently access resources in a blob storage (including linked templates). The SAS token is supposed to be stored in a vault I'm also creating in this template. The storage account exists independently (in another RG)
However, I get the following error:
{
"code": "InvalidValuesForRequestParameters",
"message": "Values for request parameters are invalid: signedPermission,signedExpiry,signedResourceTypes,signedServices."
}
My template had this variable and line to generate the SAS token:
"variables": {
"vaultName": "[concat('hpc',uniqueString(resourceGroup().id, parameters('keyVaultName')))]",
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "fb",
"signedPermission": "rwdlacup",
"signedExpiry": "2021-11-30T00:00:00Z",
"signedResourceTypes": "co"
}
}
},
(...)
{
"apiVersion": "2018-02-14",
"type": "Microsoft.KeyVault/vaults/secrets",
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/', variables('vaultName'))]"
],
"name": "[concat(variables('vaultName'), '/', 'StorageSaSToken')]",
"properties": {
"value": "[listAccountSas(resourceId(parameters('StorageAccountRg'),'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2018-07-01', variables('accountSasProperties')).accountSasToken]"
}
}
I tried several variation of the parameters, but could not find what's wrong, and the error is not really helping I tried (among other things):
Found the issue with the help of @jim-xu answer, and it's the worst kind of solution: the stupid mistake
I switched "accountSasProperties" from parameters to variables, and in the process, I forgot to remove the "defaultValue", and put the value directly under "accountSasProperties" the correct syntax for a variable in my case:
"accountSasProperties": {
"signedServices": "fb",
"signedPermission": "rwdlacup",
"signedExpiry": "2021-11-30T00:00:00Z",
"signedResourceTypes": "co"
}
I incidentally also remove object type, as pointed out by @jim-xu in his answer