I have two teams:
Team1: Who supports the subscription (having Storage1) and having the contributor access
Team2: Who owns the subscription (having Storage1) and has the contributor access.
The storage (storage1) has data which Team2 (owner) don't want to show the data to Team1 (support team).
Considering the above scenario, is there any security policy at the storage level put in place so that [even if the Support team(Team1) has contributor access to the subscription] can NOT view the data from the storage?
Please suggest the best ways to proceed forward.
Thanks.
There are specific data action permissions that allow crud operations for blobs. If Team2 does not have those permissions they'll not be able to do anything with the blobs. One of the built-in roles with those permissions is the Storage Blob Data Contributor, while resource roles such as Contributor or Storage Account Contributor don't have those.
However; the default Contributor and Storage Blob Data Contributor roles give access to the access keys, which can also be used to gain access to the blobs. You could disable access keys, but a contributor has access to that option and could enable them again.
So if you want to limit your contributors you can do so; but you'll require a different role (likely a custom role) that does not have access to the Microsoft.Storage/storageAccounts/listkeys/action permission.
Related
Added a policy in my test subscription and it works as expected.
The same policy at my PROD sub work does not do anything, it should move blobs to the cool access tier from hot.
On my test sub I have owner rights and storage blob data contributor rights.
On my PROD sub I have storage account contributor and storage blob data owner, should I also add storage blob data contributor rights?. Wouldn't that be included in storage account contributor?
In order to work with Azure Storage Account Life Cycle Management policies, you need role that includes Microsoft.Storage/storageAccounts/managementPolicies/write permission.
The valid roles that allow you to work with Life Cycle Management policies are:
Owner - It grants you full access to manage all resources along with assigning roles.
Contributor - It won't allow you to assign roles but grants full access to manage all resources.
Storage Account Contributor - It grants you full access to manage storage accounts(only).
As your Test subscription has Owner rights, it allowed you to manage Life Cycle Management policies.
To confirm this, click on the role and check for storage management policies:
There is no need to assign Storage Blob Data Contributor role to Prod subscription as it already has Storage Account Contributor role that includes below actions:
I tried to reproduce the same in my environment by assigning Storage Account Contributor role and got below results.
I created a Life Cycle Management policy to move blobs to the cool access tier from hot tier like below:
Go to Azure Portal -> Storage Accounts -> Your account -> Lifecycle management -> Add a role
When I checked the blobs, they are still in Hot access tier like below:
As I created the policy recently, it may take upto 48 hrs to be effective as mentioned below:
If that's your case, please wait for intended time period and check after a couple of days.
Blobs moved to cool access tier from hot when I checked after a few days like below:
UPDATE:
Please check the below note from this Microsoft Doc that confirms management policies will be blocked if firewall rules are enabled for your storage account.
You need to select exception as below that allows access to trusted Azure services:
References:
Grant access to trusted azure services | Microsoft Docs
Managing the lifecycle policies - Azure Storage | Microsoft Docs
I have an AAD Group that is allowed to access the Data Lake Gen 2 via RBAC. However, there are some people in the AAD Group that should not be allowed to see some of the files/folders. How can it be done?
I saw ACLs, but from what I've read ACLs are not evaluated if RBAC provides access already.
--> https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control-model#how-permissions-are-evaluated
No, you can't.
If the AAD group already has the RBAC role Storage Blob Data Owner/Storage Blob Data Contributor/Storage Blob Data Reader at your storage account scope(include higher-level scope), there is no way to restrict the members to access a folder/file inside.
I need to allow Azure AD user to manage - via the Azure Portal - containers, blobs, keys for a given storage account.
Docs state that the Storage Blob Data Contributor role by itself will not provide sufficient permissions to navigate through the portal to the blob in order to view it. So to enable user to navigate through the Portal - the Reader role is required.
Am I right that I need to assign Reader, Storage Account Contributor and Storage Blob Data Contributor roles to achieve what I want?
I have an Azure Storage Account and want to grant read access to a colleague. All identities are in the same Azure Active Directory so it was easy to add him to the "Reader" role in the Access Control blade of the Azure portal.
When he opens Microsoft Azure Storage Explorer the subscription and storage account are visible but the node for Blob Containers can't be expanded. Exception says:
Could not obtain keys for Storage Account. Please check that you have
the correct permissions
This is expected behavior. Essentially to list storage keys, the user should be in a role that allows listKeys operation. The built-in Reader role does not have permission to perform listKeys operation.
The rationale (a bit convoluted though) behind this decision is that a user in Reader role should only be able to Read and not perform any inserts/updates or deletes. Considering if someone has account key for a storage account, they can do these operations. Thus the user in Reader role is not granted permission to list the account keys.
What you could do is create a Shared Access Signature (SAS) with read/list permissions and share that SAS URL with your colleague. Then they will be able to access the data in that storage account but won't be able to perform any create/update/delete operations.
Looks like this is now possible (In preview). Your AD users can be given the "Storage Blob Data Reader" privilege.
https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-aad-authentication-for-storage/
I have a resource group in Azure which contains cloud service and a storage account. I want to give access to the resource group to my developers so that they can access the resources and make changes. However, there is one particular table in the storage account which contains sensitive user details. The table is being updated through our client app using SAS tokens.
I want only few selected people from my team to be able to see the complete contents of the table. Is there any way in azure to do this?
Azure Storage access is gated by its account name+key. Anyone with access to that key has access to any object(s) within a storage account, whether, blob, queue, or (in your case) table.
If developers have access to the resource group, and the resource group contains the storage account, then those developers have full access to the storage account contents.
If you wanted to prevent your developers from accessing storage, this storage account would need to reside within another resource group (which the developer does not have access to). And then you would have the choice to provide the developer(s) with the storage account+key, or with a SAS to a particular table.
However: If a developer has been granted co-admin permissions to the Azure subscription itself, then they have access to 100% of resources within the subscription, regardless of resource group or SAS.