Replace account based SAS with dSAS (#4756)

diff --git a/eng/pipelines/prepare-release.yml b/eng/pipelines/prepare-release.yml
index eb8579b388ea3bc408ea774bca1f1085efe07a93..a7bff089f397b2f27e913607d2af57d0ff646835 100644 (file)
--- a/eng/pipelines/prepare-release.yml
+++ b/eng/pipelines/prepare-release.yml
@@ -15,7 +15,6 @@ stages:
     variables:
     - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')) }}:
       - group: DotNet-Diagnostics-Storage
-      - group: DotNetBuilds storage account read tokens
       - group: Release-Pipeline
     steps:
     - ${{ if in(variables['Build.Reason'], 'PullRequest') }}:
@@ -30,6 +29,29 @@ stages:
           version: 6.x
           installationPath: '$(Build.Repository.LocalPath)\.dotnet'
       - template: /eng/common/templates/post-build/setup-maestro-vars.yml
+
+      # Populate dotnetbuilds-internal-container-read-token
+      - template: /eng/common/templates-official/steps/get-delegation-sas.yml
+        parameters:
+          federatedServiceConnection: 'dotnetbuilds-internal-read'
+          outputVariableName: 'dotnetbuilds-internal-checksums-container-read-token'
+          expiryInHours: 1
+          base64Encode: false
+          storageAccount: dotnetbuilds
+          container: internal-checksums
+          permissions: rl
+
+      # Populate dotnetbuilds-internal-container-read-token
+      - template: /eng/common/templates-official/steps/get-delegation-sas.yml
+        parameters:
+          federatedServiceConnection: 'dotnetbuilds-internal-read'
+          outputVariableName: 'dotnetbuilds-internal-container-read-token'
+          expiryInHours: 1
+          base64Encode: false
+          storageAccount: dotnetbuilds
+          container: internal
+          permissions: rl
+
       - task: AzureCLI@2
         displayName: 'DARC Gather build'
         inputs: