I have created an Azure Storage Account in which multiple teams store the blobs/files. I want to provide read-only access to some team members and contributor access to some team members.
How to provide read-only access to the storage account?
The simplest way is to give them a SAS token. See Grant limited access to Azure Storage resources using shared access signatures (SAS)
You can also Authorize access to blobs using Azure Active Directory
Related
In Azure, I have an admin role. In Active Directory, I have added a new user. I need to grant permission to a user to access our storage account as a contributor role. I'm confused between the contributor and storage account contributor roles. What if I granted permission to my storage account only for the contributor role rather than the storage account contributor roles? And what will happen if I give permission for either one or both roles? Can someone explain it to me clearly?
A Storage Account Contributor role enables a user to manage almost all aspects of a storage account (e.g update storage account, read access keys, regenerate access keys, and even delete storage account etc.).
A Contributor role has a much larger scope and it enables a user to manage almost all aspects of any resource in an Azure Subscription.
Now coming to your questions:
What if I granted permission to my storage account only for the
contributor role rather than the storage account contributor roles?
Considering you are scoping the role to a storage account only, I believe it would be the same.
And what will happen if I give permission for either one or both
roles?
If you assign both roles (Contributor and Storage Account Contributor) to a resource normally the higher role (Contributor in this case) prevails. However in this scenario since you are scoping the role to a storage account only, I believe it would be the same.
The difference is the scope of the permissions.
The general Contributor Role :
Grants full access to manage all resources
The storage account contributor:
Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.
(docs)
So if you want to limit a user to only be able to manage specific resource types asssign them those specific service contributor roles.
Both can also access the data inside the storage account because they have access to the account key.
I am trying to create Azure Billing Export via Portal Azure with the use of SAS token. I want to export costs from tenant A to storage container in tenant B.
I have generated SAS token in storage account with help of this tutorial, with only change of expire date extension. In storage account there is enabled "Allow storage account key access" configuration.
I am able to connect to storage account via Storage Explorer with use of generated SAS token, but when I try to create export there is error:
Export creation failed.SAS token access to user storage is not supported.
I can't find anything about this error in MS Azure documentation and also anywhere in the web.
I generated token by Azure CLI, storage account Shared access signature, container Shared access signature and Storage Explorer.
I have not generated User Delegation SAS, because I need long term access.
The problem was caused by lack of needed permissions to perform that action. I don't know which role gives permissions to do that, Global Admin helped a lot.
How can you access a Storage Account blob container without using an Account Key?
I can access data in Storage Account blobs in Power BI ... but it needs the account Access Key !
Is there some way to access the data using some other authentication approach, i.e. an app registration, service principal, managed identity, whatever ?
You could use Shared Access Signature(SAS) to connect Blob Storage in Power BI. This guide will help you.
If you access blob with Azure AD, it doesn't seem to integrate with Power BI. And there is a .Net code sample about creating a block blob.
Azure AD authenticates the security principal (a user,
group, or service principal) running the application. If
authentication succeeds, Azure AD returns the access token to the
application, and the application can then use the access token to
authorize requests to Azure Blob storage or Queue storage.
For more information, the document describes the options that Azure Storage offers for authorizing access to resources.
I read about shared access signatures generated with stored access policies for Azure Storage from here.
I also read how to create this shared access signature with stored access policies for Azure Storage using PowerShell here.
However, I want to do the above using Azure Portal. I know how to generate an ad-hoc shared access signature. I also know how to create a stored access policy for a container in my Azure Blob.
How do I create a shared access signature with a stored access policy for an Azure Blob container in Azure Portal?
Preview of Storage Explorer is now available in Azure portal.
You can generate SAS for a container by right clicking on the container and select Get Shared Access Signature like we do in Storage Explorer using the preview
How do I create a shared access signature with a stored access policy
for an Azure Blob container in Azure Portal?
Simple answer to your question is that as of today you can't create a shared access signature (SAS) using a stored access policy in Azure Portal. This feature is not there yet. In fact, feature to create a SAS on a blob container is not there on the portal as of yet. You could only create account level SAS using Azure Portal.
If you need to create a SAS on a container using a stored access policy, please use Microsoft Storage Explorer tool (or any other storage explorer tool that has support for blobs management). Using this tool you will be able to specify a stored access policy when creating a SAS on the container.
Can we provide access to blobs or containers or storage accounts using Azure Active Directory? I have tried to add using AAD but is not permitting to add storage account.
Can we provide access to blobs or containers or storage accounts using
Azure Active Directory?
As of today, it is not possible to provide Azure AD based access to blobs/containers in a storage account. Access to these resources is controlled by storage account keys.
What you can do is restrict the access to management operations on these storage accounts by Azure AD so that only authorized users get access to account keys.
No, I'm afraid that you cannot do that.
https://learn.microsoft.com/en-us/azure/storage/storage-dotnet-how-to-use-files#file-storage-faq
The closest solution you can have is to use shared access keys
https://learn.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1
Cheers,
Toan Nguyen
Update: this is possible today.
https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad