Skip to content

New-AzGalleryApplicationVersion fails with could not establish trust relationship for the SSL/TLS secure channel #27710

New issue
New issue
Open
Open
New-AzGalleryApplicationVersion fails with could not establish trust relationship for the SSL/TLS secure channel#27710
Labels
ComputeService AttentionThis issue is responsible by Azure service team.customer-reported
@alvaro-vantis-pt

Description

@alvaro-vantis-pt
alvaro-vantis-pt
opened on May 8, 2025

I am experiencing the exact same issue as described at #25676 . My blob is accessed only via private endpoints and specific subnets, and I receive the same errors whether I include "privatelink" in the blob URI or not.

In the message from @mayankdaruka-msft, there was a new feature you involving a VNet integration that allows the publishing service "trusted access" to blobs in storage accounts behind a firewall/VNet. This would involve placing a managed identity on the gallery and giving the managed identity read permissions to the blob. the inclusion of "managed identity" in the gallery and granting read permission to the blob via "managed identity." This feature was expected to be available by the end of September 2024. As of today, May 8, 2025, I cannot find this option in any of the commands related to Gallery within the Az.Compute module, neither on Azure Portal.

I tested allowing public access to the blob, and it worked well, but I cannot keep this active due to security concerns. What would be the solution or workaround to make this work without exposing the storage account publicly on the internet?

Thank you for your assistance.

Hi @darrens280,

The issue here is that your storage account is configured to be accessible from only certain virtual networks and/or IP addresses. Even if you are publishing from a machine in the same virtual network as the storage account, the provided SAS will not be accessible by the publishing service used to publish Gallery Applications, hence the error.

We are currently working on a VNet integration feature that allows the publishing service "trusted access" to blobs in storage accounts behind a firewall/VNet. This would involve placing a managed identity on the gallery and giving the managed identity read permissions to the blob.

This feature is currently in progress and should be available by end of September.

Originally posted by @mayankdaruka-msft in #25676

Activity

microsoft-github-policy-service
added
customer-reported
needs-triageThis is a new issue that needs to be triaged to the appropriate team.
on May 8, 2025
isra-fel
added
Compute
Service AttentionThis issue is responsible by Azure service team.
and removed
needs-triageThis is a new issue that needs to be triaged to the appropriate team.
on May 16, 2025
microsoft-github-policy-service

microsoft-github-policy-service commented on May 16, 2025

@microsoft-github-policy-service
microsoft-github-policy-servicebot
on May 16, 2025
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Drewm3, @TravisCragg-MSFT, @nikhilpatel909, @sandeepraichura, @hilaryw29, @GabstaMSFT, @ramankumarlive, @ushnaarshadkhan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    ComputeService AttentionThis issue is responsible by Azure service team.customer-reported

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @isra-fel@alvaro-vantis-pt

        Issue actions
          New-AzGalleryApplicationVersion fails with could not establish trust relationship for the SSL/TLS secure channel · Issue #27710 · Azure/azure-powershell