feat: use MSI to upload VHDs to the storage container

.pipelines/templates/.builder-release-template-windows.yaml

@@ -181,9 +181,6 @@ steps:
         -e RESOURCE_GROUP_NAME="${AZURE_BUILD_RESOURCE_GROUP_NAME}" \
         -e LOCATION="${AZURE_BUILD_LOCATION}" \
         -e OS_TYPE="Windows" \
-        -e CLASSIC_SA_CONNECTION_STRING="$(CLASSIC_SA_CONNECTION_STRING)" \
-        -e OUTPUT_STORAGE_ACCOUNT_NAME=${OUTPUT_STORAGE_ACCOUNT_NAME} \
-        -e OUTPUT_STORAGE_CONTAINER_NAME=${OUTPUT_STORAGE_CONTAINER_NAME} \
         -e CLASSIC_BLOB="$(STORAGE_ACCT_BLOB_URL)" \
         -e SIG_IMAGE_NAME=${SIG_IMAGE_NAME} \
         -e SIG_GALLERY_NAME=${SIG_GALLERY_NAME} \

.pipelines/templates/.builder-release-template.yaml

@@ -196,9 +196,6 @@ steps:
         -e LOCATION="${AZURE_LOCATION}" \
         -e OS_TYPE="Linux" \
         -e CLASSIC_BLOB=${CLASSIC_BLOB} \
-        -e CLASSIC_SA_CONNECTION_STRING="$(CLASSIC_SA_CONNECTION_STRING)" \
-        -e OUTPUT_STORAGE_ACCOUNT_NAME=${OUTPUT_STORAGE_ACCOUNT_NAME} \
-        -e OUTPUT_STORAGE_CONTAINER_NAME=${OUTPUT_STORAGE_CONTAINER_NAME} \
         -e SIG_GALLERY_NAME=${SIG_GALLERY_NAME} \
         -e SIG_IMAGE_NAME=${SIG_IMAGE_NAME} \
         -e CAPTURED_SIG_VERSION=${captured_sig_version} \

vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh

@@ -1,8 +1,6 @@
 #!/bin/bash -e
 
 required_env_vars=(
-    "CLASSIC_SA_CONNECTION_STRING"
-    "OUTPUT_STORAGE_CONTAINER_NAME"
     "SUBSCRIPTION_ID"
     "RESOURCE_GROUP_NAME"
     "CAPTURED_SIG_VERSION"
@@ -11,23 +9,6 @@ required_env_vars=(
     "SIG_IMAGE_NAME"
 )
 
-start_date=$(date +"%Y-%m-%dT00:00Z" -d "-1 day")
-expiry_date=$(date +"%Y-%m-%dT00:00Z" -d "+1 year")
-if [[ "${OS_NAME,,}" != "windows" ]]; then
-    [ -z "${OUTPUT_STORAGE_CONTAINER_NAME}" ] && echo "OUTPUT_STORAGE_CONTAINER_NAME should be set..." && exit 1
-    echo "storage container name: ${OUTPUT_STORAGE_CONTAINER_NAME}"
-    # max of 7 day expiration time when using user delegation SAS
-    storage_sas_token=$(az storage container generate-sas --name ${OUTPUT_STORAGE_CONTAINER_NAME} --permissions acwlr --connection-string ${CLASSIC_SA_CONNECTION_STRING} --start ${start_date} --expiry ${expiry_date} | tr -d '"')
-else
-    # we still need to use the original connection string when not using a system-assigned identity on 1ES pools
-    storage_sas_token=$(az storage container generate-sas --name vhds --permissions acwlr --connection-string ${CLASSIC_SA_CONNECTION_STRING} --start ${start_date} --expiry ${expiry_date} | tr -d '"')
-fi
-
-if [ "$storage_sas_token" == "" ]; then
-    echo "sas_token is empty"
-    exit 1
-fi
-
 for v in "${required_env_vars[@]}"
 do
     if [ -z "${!v}" ]; then
@@ -86,9 +67,11 @@ echo "Converted $sig_resource_id to $disk_resource_id"
 # shellcheck disable=SC2102
 sas=$(az disk grant-access --ids $disk_resource_id --duration-in-seconds 3600 --query [accessSas] -o tsv)
 
-echo "Uploading $disk_resource_id to ${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd"
+echo "Logging into azcopy with MSI"
+azcopy-preview login --identity
 
-azcopy-preview copy "${sas}" "${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd?${storage_sas_token}" --recursive=true
+echo "Uploading $disk_resource_id to ${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd"
+azcopy-preview copy "${sas}" "${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd" --recursive=true || exit $?
 
 echo "Uploaded $disk_resource_id to ${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd"