How to backup files to Azure Blob Storage from VMs using managed identities

A couple of months ago, I needed to create backups of a database dump on one of my VMs. I initially thought it would be a difficult task but was pleasantly surprised to find it easier than I thought.

Despite the excellent documentation; I still needed to do some research to get my automated pipeline set up. The following tasks describe the steps I took as well as the script.


1. Set up managed identities for the Azure VM using this guide

2. Hop on the VM and install the Azure CLI

3. Setup a CRON job to run the script below at intervals

# Backup script for BASH relying on Az CLI

now=$(date +"%F.%T");
backupFileName="BACKUP ON $now"

parse_json ()
echo $1 | \
sed -e 's/[{}]/''/g' | \
sed -e 's/", "/'\",\"'/g' | \
sed -e 's/" ,"/'\",\"'/g' | \
sed -e 's/" , "/'\",\"'/g' | \
sed -e 's/","/'\"---SEPERATOR---\"'/g' | \
awk -F=':' -v RS='---SEPERATOR---' "\$1~/\"$2\"/ {print}" | \
sed -e "s/\"$2\"://" | \
tr -d "\n\t" | \
sed -e 's/\\"/"/g' | \
sed -e 's/\\\\/\\/g' | \
sed -e 's/^[ \t]*//g' | \
sed -e 's/^"//' -e 's/"$//'

# Get token
echo "Retrieving token from AAD"
payload="$(curl http://localhost:50342/oauth2/token
--data "resource="
-H Metadata:true;)"

# Parse Token
echo "Parsing access_token from AAD response"
token="$(parse_json $payload access_token)"

echo "Setting 5 minute token expiry time"
tokenExpiryTime=$(date -ud
"now + 5 minutes" +%FT%T.%3NZ)
echo $tokenExpiryTime

# Get SAS Token
echo "Exchanging AAD token for SAS token"
-X POST -d "{\"canonicalizedResource\":\"/blob/$storageAccountName/$containerName\",\"signedResource\":\"c\",\"signedPermission\":\"rcw\",\"signedProtocol\":\"https\",\"signedExpiry\":\"$tokenExpiryTime\"}"
-H "Authorization: Bearer $token")

# Parse SAS Token
echo "Parsing SAS Token"
sasToken="$(parse_json $sasTokenPayload serviceSasToken)"

# Upload Blob
echo "Uploading the file..."
az storage blob upload
--container-name $containerName
--file $file
--name $backupFileName
--account-name $storageAccountName
--sas-token $sasToken

echo "Done"

The script is also available as a Github Gist here.

4. Sit back and enjoy.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.