Add ARM as trusted Service in Storage Account Firewall.
Please add "Azure Resource Manager(ARM) template deployment service" as Trusted Service in Storage Account Firewall services. Right now when we add IP restrictions and "Allow trusted Microsoft services", the ARM Template deployment fails when it attempts to get the keys for the storage account, because ARM is not added as Trusted Service in Storage Account Firewall.
David F Smith commented
This has been opened at least twice already; with no response from MS:
The first link appears to somehow be dead, despite the fact that I can clearly view it in the list of items I have voted for and commented on. What does the community have to do to get MS to take this seriously? Our only alternative is to open up the storage account to the internet with anonymous access disabled; not ideal at all.
Rajinder Singh commented
We have complex nested deployments. Our only option is to store the arm templates in a storage accounts. Our security teams wants to enforce firewalls on storage accounts. Our deployments generate SAS tokens to access the nested templates. Adding ARM as a trusted service will be very helpful.
or configure the storage account firewall on the fly during arm execution
Will Parry commented
Do we have to disable Storage Account Firewall at the moment to reference linked files from Blob Container in ARM templates?