Azure VM custom script extension SAS token support

Question

I am trying to deploy add a custom script extension to an Azure VM using an ARM template, and I want to have it download files from a storage account using a SAS token.

Here is the template (simplified):

{
    "name": "CustomScriptExtension"
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "location": "eastus",
    "properties": {
        "publisher": "Microsoft.Compute",
        "type": "CustomScriptExtension",
        "typeHandlerVersion": "1.8",
        "settings": {
            "fileUris": [
                "https://{storage-account}.blob.core.windows.net/installers/{installer}.msi?sv=2015-04-05&sig={signature}&st=2017-05-03T05:18:28Z&se=2017-05-10T05:18:28Z&srt=o&ss=b&sp=r"
            ],
            "commandToExecute": "start /wait msiexec /package {installer}.msi /quiet"
        },
    }
}

And deploying it results in this error:

{
  "name": "CustomScriptExtension",
  "type": "Microsoft.Compute.CustomScriptExtension",
  "typeHandlerVersion": "1.8",
  "statuses": [
    {
      "code": "ProvisioningState/failed/3",
      "level": "Error",
      "displayStatus": "Provisioning failed",
      "message": "Failed to download all specified files. Exiting. Error Message: Missing mandatory parameters for valid Shared Access Signature"
    }
  ]
}

If I hit the URL with the SAS token directly it pulls down the file just fine so I know the SAS token is correct. Does the custom script extension not support URLs with SAS tokens?

Answer 1

I figured it out, this must be a bug in the custom script extension which causes it to not support storage account level SAS tokens. If I add &sr=b on the the end of the SAS token (which isn't part of the storage account level SAS token spec) it starts working.

I found this info here: https://azureoperations.wordpress.com/2016/11/21/first-blog-post/