azure azure-rm-template azure-container-instances azure-files access-keys

Mount Azure File Share on Azure Container with access key retrieval in ARM Template

I'm creating a file share and container instance using ARM template, and I need to mount this created file share to the container. I have the below template -

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_GRS",
      "metadata": {
        "description": "Storage Account type"
      }
    },
    "storageAccountName": {
      "type": "string",
      "defaultValue": "[concat('storage', uniquestring(resourceGroup().id))]",
      "metadata": {
        "description": "Name of the Azure Storage account."
      }
    },
    "sharePrefix": {
      "type": "string",
      "defaultValue": "files",
      "metadata": {
        "description": "Specifies the prefix of the file share names."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    .....
  },
  "variables": {
    "ContainerGroupName": "[concat('my-cg',uniquestring(resourceGroup().id))]",
    "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
    "ContainerName": "my-container"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[parameters('storageAccountName')]",
      "apiVersion": "2019-06-01",
      "location": "[parameters('location')]",
      "kind": "Storage",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      }
    },
    {
      "type": "Microsoft.Storage/storageAccounts/fileServices/shares",
      "apiVersion": "2019-06-01",
      "name": "[concat(parameters('storageAccountName'), '/default/', parameters('sharePrefix'))]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
      ]
    },
    {
      "name": "[variables('ContainerGroupName')]",
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2018-10-01",
      "location": "[parameters('location')]",
      "properties": {
        "containers": [
          {
            "name": "[variables('ContainerName')]",
            "properties": {
              "image": "imageNameinACR",
              "resources": {
                "requests": {
                  "memoryInGB": 14,
                  "cpu": 4
                }
              },
              "volumeMounts": [
                {
                  "name": "filesharevolume",
                  "mountPath": "/app"
                }
              ]
            }
          }
        ],
        "imageRegistryCredentials": [
          ....
        ],
        "restartPolicy": "OnFailure",
        "osType": "Linux",
        "volumes": [
          {
            "name": "filesharevolume",
            "azureFile": {
              "shareName": "[concat(parameters('storageAccountName'), '/default/', parameters('sharePrefix'))]",
              "storageAccountName": "[parameters('storageAccountName')]",
              "storageAccountKey": "[listKeys(parameters('storageAccountName'), '2019-06-01').keys[0].value]"
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
        "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), 'default', parameters('sharePrefix'))]"
      ]
    }
  ],
  "outputs": {}
}

However, this is throwing the error

"error": { "code": "CannotAccessStorageAccount", "message": "The Azure storage account 'storage6x2un3wwsta6u' in volume 'filesharevolume' can't be accessed: 'The remote server returned an error: (400) Bad Request.'. This can be caused by incorrect Azure storage account key or Azure storage firewalls." }

I've also tried the resourceId to retrieve the secret like below, but it throws the same error.

"storageAccountKey": "[listKeys(variables('storageAccountId'), '2019-06-01').keys[0].value]"

Am I missing anything in the template? I referred to various samples that show this method to retrieve access keys in ARM template.

In my DOCKERFILE for the container image, I'm running RUN MKDIR /App

Could there be an issue with the mount path? My assumption is that the fileshare will be mounted in this directory - /app/filesharevolume.

Solution

I don't see the definition of the variable storageAccountId, but the template function listkeys really works with the resource Id. So I give the code that works on my side:

"storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value]"

And if the storage account is not in the same resource group with the container group, then you can add the group name of the storage account when you get the resource Id:

"storageAccountKey": "[listKeys(resourceId(variables('resourceGroupName'), 'Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value]

Here is the example.

Update:

And there is a problem in the volumes of the container group. You need to change the file share name into this:

"volumes": [
          {
            "name": "filesharevolume",
            "azureFile": {
              "shareName": "[parameters('sharePrefix')]",
              "storageAccountName": "[parameters('storageAccountName')]",
              "storageAccountKey": "[listKeys(parameters('storageAccountName'), '2019-06-01').keys[0].value]"
            }
          }
        ]