Synchronize Azure storage account IP ACL with Azure service IPs.
Azure authentication is handled by the azidentity package with DefaultAzureCredential. The easiest way to authenticate is using the following environment variables:
Service principal with secret
AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET.
Service principal with certificate
AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_CERTIFICATE_PATH and AZURE_CLIENT_CERTIFICATE_PASSWORD.
Username and password
AZURE_CLIENT_ID, AZURE_USERNAME and AZURE_PASSWORD.
Microsoft.Network/locations/*/serviceTags/readaction on the subscription to retrieve the service IPs.- Writing properties on the configured storage account to update its IP ACL.
Custom role for reading service tags
{
"Name": "Service Tag Reader",
"IsCustom": true,
"Description": "List service tags and their respective IPs.",
"Actions": [
"Microsoft.Network/locations/*/serviceTags/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId}"
]
}| Flag | Environment variable | Default | Description |
|---|---|---|---|
--subscription-id |
AZURE_SUBSCRIPTION_ID |
- | Azure subscription ID. |
--services |
AZURE_SERVICES |
AzureFrontDoor.Backend |
Azure services to retrieve IPs from. |
--location |
AZURE_LOCATION |
westus |
Azure location to retrieve IPs for. |
--resource-group |
AZURE_RESOURCE_GROUP |
- | Storage account resource group. |
--storage-account |
AZURE_STORAGE_ACCOUNT |
- | Storage account name. |
--extra-allow-rules |
EXTRA_ALLOW_RULES |
168.63.129.16 169.254.169.254 |
Additional allow IP rules. |
--extra-deny-rules |
EXTRA_DENY_RULES |
- | Additional deny IP rules. |
--dry-run |
DRY_RUN |
false |
Only print the IP rules that would be applied. |
The two IP addresses allowed by default are documented here.