Oracle installation files can be placed in an Azure Storage container that requires authorized access to the files (disabled anonymous public read access).
There are two authorization methods available to support such deployments:
Each method can be used independently from the other.
Note: Launcher will not be able to verify the accessibility of Oracle files when one of the methods is used:
User-assigned Managed Identity
The managed identity can be given access to a storage account, and then this managed identity can be assigned to the VMs during the deployment. As a result, the initialization process will be able to download Oracle files and complete successfully.
Create managed identity
Create a new managed identity in the region of a storage account.
Grant access to a storage account (Azure Portal)
- Go to Storage Account: Access Control (IAM)
- Select Role assignments
- Click Add→Add role assignment
- Select Storage Blob Data Reader, click Next
- In the Assign access to section, select Managed identity
- Click Select Members and select the previously created user-assigned managed identity
- Click Review + assign
Grant access to storage account (CLI, alternative method)
-
Obtain the managed identity's object ID:
az ad sp list --display-name <managed_identity_name> --query [*].objectId
-
Grant the Storage Blob Data Reader role:
az role assignment create \ --role "Storage Blob Data Reader" \ --assignee-object-id "<managed_identity_object_id>" \ --assignee-principal-type "ServicePrincipal" \ --scope "/subscriptions/<subscription_id>/resourceGroups/<storage_account_resource_group>/providers/Microsoft.Storage/storageAccounts/<storage_account_name>"
Add Managed Identity ID to the config file
-
Copy ID from the managed identity properties page:
-
Add
user_assigned_identity
under[azure]
section of the config file using the copied ID:[azure] user_assigned_identity = '/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/3023-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/blobstorage'
Shared Access Signature (SAS)
SAS provides limited access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid.
Generate SAS token
-
Go to Storage Account→Security + networking→Shared access signature
-
Make sure that there is Read access for Blobs. Set the start and expiry date/times as needed.
-
Click the Generate SAS and connection string button.
-
Copy the generated SAS token and remove the leading question mark sign.
-
Add
oracle_files_storage_sas
parameter under[azure]
section of the config file using the value of the SAS token:[azure] oracle_files_storage_sas = 'sv=2020-08-04&ss=b&srt=o&sp=rx&se=2022-04-15T20:12:07Z&st=2022-04-15T12:12:07Z&spr=https&sig=avO9blmyKQ5h3ZBtlvtXkPwYaYISbe1mf59M7yN9FCA%3D'