@Vikalpa Shetkar,
The SAS token will eventually expire. It may expire when no one remembers that a new token needs to be reissued.
Here is my approach to avoid the SAS token for Blob:
- Change your blob access level to Blob (anonymous read access for blobs only)
- Change your storage account network settings to "Enabled from selected virtual networks and IP addresses", and map your OCP virtual networks.
- Add any external IP ranges to access the Blob to upload your archives
- In MAS, update your custom archive URL with https://<storageaccount Blob URL>/blob-name/FILENAME.zip
Suppose your storage account is used for other Blobs or File Shares. In that case, I recommend creating a dedicated one for the MAS customisations archives, as these settings may impact other applications connecting to your storage account.
I believe this is simpler and safer than using FTP or SAS tokens.
Hopefully, it can help you.
Cheers,
Maycon
------------------------------
If this post helps, please consider accepting it as a solution to help other members find it more quickly.
Maycon Belfort
Cloud and Infrastructure Engineer
Naviam
Melbourne
------------------------------
Original Message:
Sent: Fri July 11, 2025 01:35 AM
From: Vikalpa Shetkar
Subject: MAS - Customization Archive in Azure for ARO
Hi Gaurav,
Thank you so much for your help. I have followed all the steps. I guess I have missed providing Blob SAS URL in single and then double quotes. I will try this.
Regards,
Vikalpa
Original Message:
Sent: 7/10/2025 3:16:00 AM
From: Gaurav Gupta
Subject: RE: MAS - Customization Archive in Azure for ARO
Hi Vikalpa,
We have recently implemented it for one of our client. Cloud admin can generate a SAS token URL for the container or folder or Customization zip file available on Azure Blob and this URL can be used in MAS Core. SAS url generally have special character and doesn't work with wget command (build pipeline use wget to download the customization archive) even if you do a URL encoding. To overcome this, you may need to provide the url in "" (double quotes). Also, you may need to update ManageWorkspace CRD to allow double quote ("), otherwise an error saying "Only ftp, ftps http and https protocols are allowed" will be thrown.
At high level following is the list steps to be followed:
1- Go to Manage Workspace CRD YAML (not the instance YAML).
2- Search for customizationArchiveUrl and find the key named 'pattern'.
3- Replace its value with '^"?((http|https|ftp)://.*)"?$'
4- Save the file, then provide the Customization URL through the UI or OpenShift console, ensuring it is enclosed in single quotes first and then double quotes.
There is another solution, which may be a cleaner approach, is to expose Azure Blob behind some http/ftp layer (which can be additional http server) or exposing it using s3 api (this will also require additional infra component/container to expose s3 api). As Witold Wierzchowski mentioned already, these http/ftp or s3 api layers can be exposed using a separate pod on OpenShift cluster itself or can be on separate VM.
------------------------------
Gaurav Gupta
Original Message:
Sent: Tue July 08, 2025 12:20 PM
From: Vikalpa Shetkar
Subject: MAS - Customization Archive in Azure for ARO
Hi Ritesh,
If this worked for you, can you please share the steps.
------------------------------
Vikalpa Shetkar
Original Message:
Sent: Tue February 11, 2025 01:29 AM
From: Ritesh Ranjan
Subject: MAS - Customization Archive in Azure for ARO
Hi Experts,
We are using MAS9 on ARO. Need to know if someone has used Azure storage for customization archive?
I tried using Azure blob storage with SAS token, but it did not work. There is also no article at the moment, how to use Azure storage for customization archive.
I am curious to know how one is using customization archive on Azure.
Please share your expertise.
------------------------------
Ritesh Ranjan
------------------------------