azure-storage-acl-sync
Synchronize Azure storage account IP ACL with Azure service IPs.
Authentication
Azure authentication is handled by the azidentity package with DefaultAzureCredential
. The easiest way to authenticate is using the following environment variables:
Service principal with secret
AZURE_TENANT_ID
, AZURE_CLIENT_ID
and AZURE_CLIENT_SECRET
.
Service principal with certificate
AZURE_TENANT_ID
, AZURE_CLIENT_ID
, AZURE_CLIENT_CERTIFICATE_PATH
and AZURE_CLIENT_CERTIFICATE_PASSWORD
.
Username and password
AZURE_CLIENT_ID
, AZURE_USERNAME
and AZURE_PASSWORD
.
Permissions
Microsoft.Network/locations/*/serviceTags/read
action on the subscription to retrieve the service IPs.
- Writing properties on the configured storage account to update its IP ACL.
Custom role for reading service tags
{
"Name": "Service Tag Reader",
"IsCustom": true,
"Description": "List service tags and their respective IPs.",
"Actions": [
"Microsoft.Network/locations/*/serviceTags/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId}"
]
}
Options
Flag |
Environment variable |
Default |
Description |
--subscription-id |
AZURE_SUBSCRIPTION_ID |
- |
Azure subscription ID. |
--services |
AZURE_SERVICES |
AzureFrontDoor.Backend |
Azure services to retrieve IPs from. |
--location |
AZURE_LOCATION |
westus |
Azure location to retrieve IPs for. |
--resource-group |
AZURE_RESOURCE_GROUP |
- |
Storage account resource group. |
--storage-account |
AZURE_STORAGE_ACCOUNT |
- |
Storage account name. |
--extra-allow-rules |
EXTRA_ALLOW_RULES |
168.63.129.16 169.254.169.254 |
Additional allow IP rules. |
--extra-deny-rules |
EXTRA_DENY_RULES |
- |
Additional deny IP rules. |
--dry-run |
DRY_RUN |
false |
Only print the IP rules that would be applied. |
The two IP addresses allowed by default are documented here.