I'm unable to access Azure blob storage - azure

I have created Azure Storage account, inside storage account created container and uploaded files to my container.
When I tried to access the Container from browser. Getting: This request is not authorized to perform this operation. ,Assigned Storage blob Contributer and also Storage Blob Owner but same issue.


I tried to reproduce the same in my environment to access the blob Storage. As I got below
I created storage account with container, like below.
Azure Portal > Storage accounts > Create a Storage Account
Note: If you want to access Azure Blob from public Internet, Select Enable public access from all networks under Networking section or if you select Enable public access from selected Virtual network and IP Address, it will access only particular Virtual Network.
**Container Creation: **
Azure Storage Account > Containers > Container >
Assigned Storage Blob Data Contributor to my storage account, Like below.
Azure Storage Account > Select your Storage Account > Access Control (IAM)> Add > Add role Assignment > Storage Blob Data Contributor.
My blob is accessible over the Public Internet


Those files/container are private, this means only authorised users can access to them. To access a particular file with your browser, you need to grant permissions to that file. One of many solutions is to use SAS token (Shared Access Signature). In resume, this will generate a url with a token and this url can be pasted in a browser to access the file.
SAS token can be configured at some levels:
User delegation
Service
Account
One of the benefits (it has a lot more) of SAS token is that you can define an expiration policy for that SAS token, so it not be externally accesible for eternity.
You should configure Share Access Policies if those files have sensible content or block some paths to protect them from external access.
Please, refer to the official documentation for more info about SAS Token usage:
What is SAS
Grant limited access to Azure Storage resources using SAS

Related

is Databricks access connector trusted resource in Azure?

I'm trying to set up the external location for the unity catalog. it was able to connect to storage while trying to test a connection in which storage access is limited to selected vnets and ips. but I'm getting a 403 error while accessing the storage from the notebook even adding the blob contributor access to managed identity. Did I miss anything?
my assumption is since I added a connector to the trusted resources it will bypass the network rules.

Databricks throwing 403 error
The main reason for 403 error is related to authorization issues for accessing azure storage account to avoid access related issues Assign the application to a role, make sure to assign the Storage Blob Data Contributor role to the service principal.
You need to have only (Storage Blob Data Contributor) Role specified on your storage for your service principal. To assign Storage Blob Data Contributor roles using portal follow this link.
I have created demt1 storage account for demo, open Access controls -> Role assignment
![enter image description here](https://i.imgur.com/a140fKd.png
Under Role assignment select Storage Blob Data Contributor created initially
To check if the role is assigned open Access control -> Check Access -> Check access
and search for databricks
Under Current assignments there will be assigned role
Open databricks account and try to access storage by mounting an existing container
Additional Settings

Try adding the Databricks' workspace managed identity as a Storage Blob Data Contributor.
IAM for Databricks Managed Identity
You'll also want to add the relevant IAM conditional access, such as Read / Write permissions.
Conditional Access for Managed Identity

Create User delegation key from azure portal

I try to create a User delegation key from azure portal.
No matter what privileges I'm assigning to myself, I hit the same error message
You don't have permissions to grant read access. You can still create
a shared access signature, but you'll need an RBAC role with
additional permissions before you can grant that level of access to
your signature recipient.Learn more about Azure roles for access to
blob data
So far I have the following the roles assigned :
And the link provided in the error message says I need one of the following :
Contributor
Storage Account Contributor
Storage Blob Data Contributor
Storage Blob Data Owner
Storage Blob Data Reader
Storage Blob Delegator
So it should work, but it doesn't. What am I missing ?

The error usually occurs if you don't have required roles/permissions assigned to create User delegation key.
Please note that in order to create user delegation key, ensure to have role that includes action like below:
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey
The above action is included in the below roles:
Storage Blob Data Contributor
Storage Blob Data Owner
Storage Blob Data Reader
Storage Blob Delegator
Try assigning either Storage Blob Data Contributor / Storage Blob Data Owner roles as you didn't assign.
Please check at what scope you have assigned the role, make sure to assign the roles at the level of the storage account, the resource group, or the subscription.
I tried in my environment, and got the same error when the roles are not assigned:
After assigning the roles, I am able to create user delegation key successfully without errors.
If still the error persists, try creating an Azure Support ticket.
For more in detail, please refer below links:
Create SAS tokens for containers and blobs with the Azure portal | Microsoft Docs
azure-docs/storage-blob-user-delegation-sas-create-cli.md at main · MicrosoftDocs/azure-docs · GitHub

Unable to access the storage account () with the access token from azure media service

I tried to create an asset for azure media service from the portal as well as from code, we're getting below error:
Unable to access the storage account ({resource-name}) with the access token.
we used an existing storage account while setting up the azure media service.

The Managed Identity of Media Services account must have the Storage Blob Contributor role for the storage account.
To check this in the Azure Portal, first find out which identity set for the storage account by selecting "Storage accounts" from the menu of the Media Services account, this should be either "System-assigned" or the name of a user-assigned Managed Identity. Next, go to the storage account in the portal, select "Access Control (IAM)" from the menu, select "Role assignments" from the toolbar, then add the role assignment. When adding the role assignment, the Role should be set to "Storage Blob Data Contributor" and the Members should be set to the Managed Identity used by the Media Services account to access the storage account. After adding the role assignment, it may take a few minutes for the change to take effect.
Other considerations
Adding the role assignment should fix this issue. If not, the issue may be related to the storage account configuration. Check that the following storage account options are set:
Performance: Standard
Enable hierarchical namespace: Off
Allow Azure services on the trusted services list to access this storage account: Enabled
This option is found in the "Networking" section of the storage portal pages, under "Firewalls and virtual networks", when the "Allow access from" ... "Selected networks" option is selected

Azure Permissions to get information on a resource without being able to read it

I am working on an Azure application that gets the resources in a subscription, and then gets some information on them, e.g. get all the storage resources then get all the properties for them.
storage_client = StorageManagementClient(
session.client_secret_credentials,
session.subscription_id,
api_version="2021-06-01",
)
storage_account: StorageAccount = storage_client.storage_accounts.get_properties(
resource_group,
storage_account_id,
)
I want the app to have the minimum permissions so that it can only get the existence and information about the resource but not read the contents of the resource at all.
The application does a similar thing in AWS where it uses the security audit role.
Is there are role in Azure that can do this? If not is it possible to create one? All the MS documentation I have looked at just talks about Read permissions which does not seem what I want.

Reader permission on a Storage account does not allow you access to the contents of the Storage account.
There are separate roles/permissions for data access.
Of course there are also access keys but to get them the app would need Write permissions to the Storage account.
You can read more here: https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal#assign-an-azure-role
The Reader role is an Azure Resource Manager role that permits users
to view storage account resources, but not modify them. It does not
provide read permissions to data in Azure Storage, but only to account
management resources.

How to access blob in private storage account in azure function using Powershell

Need to get metadata from blob URL..I am able to get it with public access, but need to get it if the storage account access level is private..
Created a Azure function with Powershell and running this script and getting this error.
PublicAccessNotPermittedPublic access is not permitted on this storage account.
This is the Powershell script that gives me the metadata(getting error for Private storage account):
&"D:\Projects\test\MediaInfo.exe" -Open 'Bloburl'
I also tried with SAS token with blob url but it did not work.

Resources