I'm currently trying to deploy through an ARM template the Linux Extension LAD. Following the documentation, the extension needs a SasToken and a storage account with table capacity in order to work. I deploy the Storage Account before I call a method similiar to this one in order to create a SasToken and then use that token to deploy the extension.
This works fine as the extension is installed. However, an error appears if I go check it out in the portal. It tells me I need container and object permissions, which I previously did not have, but now I have modified the SasToken parameter to include them in the deployment.
I've tried looking for the main keywords from the message but I couldn't figure it out.
Here is the error (it's long):
Problem(s) detected in generated mdsd configuration. Can't enable, although this install/enable operation is reported as successful so the VM can complete successful startup. Linux Diagnostic Extension will exit. Config validation message: 2020-11-25T17:07:57.9564180Z: Not all GCS env vars are defined. Missing 6: MONITORING_GCS_ENVIRONMENT MONITORING_GCS_ACCOUNT MONITORING_GCS_REGION MONITORING_GCS_CERT_CERTFILE MONITORING_GCS_CERT_KEYFILE MONITORING_GCS_STORAGE_RESOURCE_TAG_TYPE. GCS won't be used. Parse reported these messages: /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(3) Error: Invalid SAS token given. Reason: Account SAS must enable container and object access (srt='co' or better) /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(18) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(25) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(31) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(45) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(60) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(71) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(84) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement
Here is my template without ladcfg as it is very long:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string",
"metadata": {
"description": "The VM Name."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The location."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Storage Account Name."
}
},
"storageAccountEndpoint": {
"type": "string",
"metadata": {
"description": "Storage Account Endpoint."
},
"defaultValue": "https://core.windows.net"
},
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "btq",
"signedPermission": "rwlacup",
"signedExpiry": "2030-01-01T00:00:01Z",
"signedResourceTypes": "sco",
"keyToSign":"key1"
}
}
},
"variables": {
"perfSink": "[concat(parameters('vmName'),'-perfSink')]",
"sysLogSink": "[concat(parameters('vmName'),'-sysLogSink')]"
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('vmName'), '/LinuxDiagnostic')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.Diagnostics",
"type": "LinuxDiagnostic",
"typeHandlerVersion": "3.0",
"autoUpgradeMinorVersion": true,
"settings": {
"sinksConfig": {
"sink": [
{
"name": "[variables('perfSink')]",
"type": "JsonBlob"
},
{
"name": "[variables('syslogSink')]",
"type": "JsonBlob"
}
]
},
"StorageAccount": "[parameters('storageAccountName')]",
"ladCfg": { ... }
},
"protectedSettings": {
"storageAccountName": "[parameters('storageAccountName')]",
"storageAccountEndPoint": "[parameters('storageAccountEndpoint')]",
"storageAccountSasToken": "[listAccountSas(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccountName')), '2018-02-01', parameters('accountSasProperties')).accountSasToken]"
}
}
}
],
"outputs": {
}}
I forwardly thank any help provided.
I summarize my suggestions as below.
When we install Linux Diagnostic Extension to monitor metrics and logs and store data to Azure storage, we should provide an Account SAS token for Blob and Table services
(ss='bt'), applicable to containers and objects(srt='co'), which grants add, create, list, update, and write permissions(sp='acluw'). Besides, regarding how to create Account SAS token in Azure ARM template, we can use ARM resource functionlistAccountSasFor example
For more details, please refer to
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource?tabs=json#list-example
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?toc=/azure/azure-monitor/toc.json#protected-settings