How to backup files to Azure Blob Storage from VMs using managed identities


A couple of months ago, I needed to create backups of a database dump on one of my VMs. I initially thought it would be a difficult task but was pleasantly surprised to find it easier than I thought.

Despite the excellent documentation; I still needed to do some research to get my automated pipeline set up. The following tasks describe the steps I took as well as the script.

Tasks

1. Set up managed identities for the Azure VM using this guide

2. Hop on the VM and install the Azure CLI

3. Setup a CRON job to run the script below at intervals

#!/bin/bash
# Backup script for BASH relying on Az CLI

containerName=containerName
storageAccountName=accountName
subscription=subscriptionID
resourceGroup=resourceGroupName
file="${1,,}"
now=$(date +"%F.%T");
backupFileName="BACKUP ON $now"

parse_json ()
{
    echo $1 | \
    sed -e 's/[{}]/''/g' | \
    sed -e 's/", "/'\",\"'/g' | \
    sed -e 's/" ,"/'\",\"'/g' | \
    sed -e 's/" , "/'\",\"'/g' | \
    sed -e 's/","/'\"---SEPERATOR---\"'/g' | \
    awk -F=':' -v RS='---SEPERATOR---' "\$1~/\"$2\"/ {print}" | \
    sed -e "s/\"$2\"://" | \
    tr -d "\n\t" | \
    sed -e 's/\\"/"/g' | \
    sed -e 's/\\\\/\\/g' | \
    sed -e 's/^[ \t]*//g' | \
    sed -e 's/^"//' -e 's/"$//'
}

# Get token
echo "Retrieving token from AAD"
payload="$(curl http://localhost:50342/oauth2/token
  --data "resource=https://management.azure.com/"
  -H Metadata:true;)"

# Parse Token
echo "Parsing access_token from AAD response"
token="$(parse_json $payload access_token)"

echo "Setting 5 minute token expiry time"
tokenExpiryTime=$(date -ud
    "now + 5 minutes" +%FT%T.%3NZ)
echo $tokenExpiryTime

# Get SAS Token
echo "Exchanging AAD token for SAS token"
sasTokenPayload=$(
  curl https://management.azure.com/subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccountName/listServiceSas/?api-version=2017-06-01
 -X POST -d "{\"canonicalizedResource\":\"/blob/$storageAccountName/$containerName\",\"signedResource\":\"c\",\"signedPermission\":\"rcw\",\"signedProtocol\":\"https\",\"signedExpiry\":\"$tokenExpiryTime\"}"
 -H "Authorization: Bearer $token")

# Parse SAS Token
echo "Parsing SAS Token"
sasToken="$(parse_json $sasTokenPayload serviceSasToken)"

# Upload Blob
echo "Uploading the file..."
az storage blob upload
   --container-name $containerName
   --file $file
   --name $backupFileName
   --account-name $storageAccountName
   --sas-token $sasToken

echo "Done"

The script is also available as a Github Gist here.

4. Sit back and enjoy.

Leave a Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.