Synchronize Azure storage account IP ACL with Azure service IPs.
Azure authentication is handled by the azidentity package with DefaultAzureCredential
. The easiest way to authenticate is using the following environment variables:
Service principal with secret
AZURE_TENANT_ID
, AZURE_CLIENT_ID
and AZURE_CLIENT_SECRET
.
Service principal with certificate
AZURE_TENANT_ID
, AZURE_CLIENT_ID
, AZURE_CLIENT_CERTIFICATE_PATH
and AZURE_CLIENT_CERTIFICATE_PASSWORD
.
Username and password
AZURE_CLIENT_ID
, AZURE_USERNAME
and AZURE_PASSWORD
.
Microsoft.Network/locations/*/serviceTags/read
action on the subscription to retrieve the service IPs.- Writing properties on the configured storage account to update its IP ACL.
Custom role for reading service tags
{
"Name": "Service Tag Reader",
"IsCustom": true,
"Description": "List service tags and their respective IPs.",
"Actions": [
"Microsoft.Network/locations/*/serviceTags/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId}"
]
}
Flag | Environment variable | Default | Description |
---|---|---|---|
--subscription-id |
AZURE_SUBSCRIPTION_ID |
- | Azure subscription ID. |
--services |
AZURE_SERVICES |
AzureFrontDoor.Backend |
Azure services to retrieve IPs from. |
--location |
AZURE_LOCATION |
westus |
Azure location to retrieve IPs for. |
--resource-group |
AZURE_RESOURCE_GROUP |
- | Storage account resource group. |
--storage-account |
AZURE_STORAGE_ACCOUNT |
- | Storage account name. |
--extra-allow-rules |
EXTRA_ALLOW_RULES |
168.63.129.16 169.254.169.254 |
Additional allow IP rules. |
--extra-deny-rules |
EXTRA_DENY_RULES |
- | Additional deny IP rules. |
--dry-run |
DRY_RUN |
false |
Only print the IP rules that would be applied. |
The two IP addresses allowed by default are documented here.