Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upload/azure: turn off public access on storage accounts #4353

Merged
merged 1 commit into from
Sep 9, 2024
Merged

upload/azure: turn off public access on storage accounts #4353

merged 1 commit into from
Sep 9, 2024

Conversation

croissanne
Copy link
Member

@croissanne croissanne commented Sep 6, 2024
edited
Loading

When creating a storage account we're currently allowing public blob access, users might have compliance policies active on their azure accounts which forbid this.

Even though the default should be false, we're still getting

Storage account Allow Blob Public Access should be disallowed

so let's just do it explicitly.

@croissanne
upload/azure: turn off public access on storage accounts
77e045e 
Users might have compliance policies on their azure accounts which
forbid public access on storage accounts.
@croissanne
Copy link
Member Author

For testing I disabled public blob access on all our storage accounts, so if the azure tests are green it should be fine.

ondrejbudai
ondrejbudai approved these changes Sep 9, 2024
View reviewed changes
Copy link
Member

@ondrejbudai ondrejbudai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! :) Btw, they can also create the storage account themselves if they want, they just need to tag it correctly so osbuild-composer finds it.

@achilleas-k achilleas-k merged commit d6031ae into osbuild:main Sep 9, 2024
48 checks passed
@achilleas-k
Copy link
Member

Awesome! :) Btw, they can also create the storage account themselves if they want, they just need to tag it correctly so osbuild-composer finds it.

Should this be documented in the release notes? We can add instructions for how to get the old behaviour by creating the storage beforehand.

@croissanne croissanne deleted the azure-upload-public-access branch September 9, 2024 10:54
@croissanne
Copy link
Member Author

Awesome! :) Btw, they can also create the storage account themselves if they want, they just need to tag it correctly so osbuild-composer finds it.

Indeed, but this particular user is having trouble with that. I don't fully understand why because it looks properly tagged "imageBuilderStorageAccount": "location=eastus", but still it was trying to create a storage account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ondrejbudai ondrejbudai ondrejbudai approved these changes

@achilleas-k achilleas-k achilleas-k approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@croissanne @achilleas-k @ondrejbudai