https://github.com/desuuuu/azure-storage-acl-sync
Synchronize Azure storage account IP ACL with Azure service IPs.
https://github.com/desuuuu/azure-storage-acl-sync
acl azure storage
Last synced: about 2 months ago
JSON representation
Synchronize Azure storage account IP ACL with Azure service IPs.
- Host: GitHub
- URL: https://github.com/desuuuu/azure-storage-acl-sync
- Owner: Desuuuu
- License: mit
- Created: 2023-08-30T14:04:31.000Z (over 1 year ago)
- Default Branch: master
- Last Pushed: 2023-08-31T11:03:52.000Z (over 1 year ago)
- Last Synced: 2025-01-31T00:19:13.110Z (4 months ago)
- Topics: acl, azure, storage
- Language: Go
- Homepage:
- Size: 9.77 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# azure-storage-acl-sync
[![Tag Badge]][Tag] [![Go Version Badge]][Go Version] [![Go Report Card Badge]][Go Report Card]
Synchronize Azure storage account IP ACL with Azure service IPs.
## Authentication
Azure authentication is handled by the [azidentity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity) package with `DefaultAzureCredential`. The easiest way to authenticate is using the following environment variables:
Service principal with secret
`AZURE_TENANT_ID`, `AZURE_CLIENT_ID` and `AZURE_CLIENT_SECRET`.
Service principal with certificate
`AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_CERTIFICATE_PATH` and `AZURE_CLIENT_CERTIFICATE_PASSWORD`.
Username and password
`AZURE_CLIENT_ID`, `AZURE_USERNAME` and `AZURE_PASSWORD`.
## Permissions
* `Microsoft.Network/locations/*/serviceTags/read` action on the subscription to retrieve the service IPs.
* Writing properties on the configured storage account to update its IP ACL.
Custom role for reading service tags
```json
{
"Name": "Service Tag Reader",
"IsCustom": true,
"Description": "List service tags and their respective IPs.",
"Actions": [
"Microsoft.Network/locations/*/serviceTags/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId}"
]
}
```
## Options
| Flag | Environment variable | Default | Description |
|:----------------------|:------------------------|:-----------------------------------------|:----------------------------------------------------------------|
| `--subscription-id` | `AZURE_SUBSCRIPTION_ID` | - | Azure subscription ID. |
| `--services` | `AZURE_SERVICES` | `AzureFrontDoor.Backend` | Azure [services](https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags) to retrieve IPs from. |
| `--location` | `AZURE_LOCATION` | `westus` | Azure location to retrieve IPs for. |
| `--resource-group` | `AZURE_RESOURCE_GROUP` | - | Storage account resource group. |
| `--storage-account` | `AZURE_STORAGE_ACCOUNT` | - | Storage account name. |
| `--extra-allow-rules` | `EXTRA_ALLOW_RULES` | `168.63.129.16`
`169.254.169.254` | Additional allow IP rules. |
| `--extra-deny-rules` | `EXTRA_DENY_RULES` | - | Additional deny IP rules. |
| `--dry-run` | `DRY_RUN` | `false` | Only print the IP rules that would be applied. |
The two IP addresses allowed by default are documented [here](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations).
[Tag]: https://github.com/Desuuuu/azure-storage-acl-sync/tags
[Tag Badge]: https://img.shields.io/github/v/tag/Desuuuu/azure-storage-acl-sync?sort=semver
[Go Version]: /go.mod
[Go Version Badge]: https://img.shields.io/github/go-mod/go-version/Desuuuu/azure-storage-acl-sync
[Go Report Card]: https://goreportcard.com/report/github.com/Desuuuu/azure-storage-acl-sync
[Go Report Card Badge]: https://goreportcard.com/badge/github.com/Desuuuu/azure-storage-acl-sync