I am trying to create a read-only Blob Container with Azure AD Authentication. My application will upload files to this Blob container and an email will be sent to users inside my organization with a link to a file that they will download with a browser.
I have created a simple storage account and created a blob container inside it.
Access level is currently set to: Private (no anonymous access)
I have given my test user Reader permission on the Storage Account and Storage Data Blob Reader on the blob container
Permissions given to my demouser account that will only have Reader permissions to blob files:
I've uploaded a test file with my admin account:
With my demouser logged into my Azure Organization via Azure Storage Explorer, I can download the file just fine:
However when I try to download the file with a direct link https://sareadonly01.blob.core.windows.net/myreadonlycontainer01/TestFile01.txt from a browser, which will be the way the users will be downloading these files with a link in an email, I get this error: "The specified resource does not exist."
If I change the Access Level of the blob container to: Blob (anonymous read only access for blobs only), then my demouser can download the file in a browser, but so can everyone else outside my organization and this doesn't use AAD Authentication.
So how do I create a Read-Only Blob container with AAD Authentication and the ability to download files with a direct URL from a browser?
Related
I generated a sas token with the list permission for a folder in a datalake storage account gen2.
Howerver when I try to access it with an httpGet request, I get AuthorizationPermissionMismatch error This request is not authorized to perform this operation using this permission
I know that to list a container with httpRequest we have to add &comp=list&restype=container in the queryString. Is there any specific param to add for listing a folder
Thanks
Once you have generated the SAS token on the container level using the required permissions. You can add a directory filter in the rest API like below :
https://<StorageURL>/<Container>?directory=<DirectoryName>&restype=container&comp=list&<SASToken>
I tested the same in my environment . I created ADLS Gen 2 Storage account , a test container and then a directory named as Folder and added few files in it as shown below :
Then using SAS generated on container level , I called the below Rest API :
https://adlsgen2ansuman.blob.core.windows.net/test?directory=folder&restype=container&comp=list&sp=racwdlmeop&st=2022-02-03T06:55:43Z&se=2022-02-03T14:55:43Z&spr=https&sv=2020-08-04&sr=c&sig=xxxxxxxxxxxxxxxxxx
Output:
How to create a custom role in Azure using Access Control(IAM), so that another user is able to view the list of files in a blob container but not its contents. Also, the user should not be able to make any changes.
How to create a custom role in Azure using Access Control(IAM), so
that another user is able to view the list of files in a blob
container but not its contents. Also, the user should not be able to
make any changes.
I don't think it is possible to do so with RBAC roles.
From this link, both List Blobs and Get Blob operation require Microsoft.Storage/storageAccounts/blobServices/containers/read (scoped to the blob container) permission thus if a user is in a role that has this permission, then that user will be able to perform both operations.
However you can achieve this using Shared Access Signature (SAS). If you create a SAS on a blob container with just list permissions, using that SAS URL a user will only be able to list blobs in a blob container and nothing else.
After storing a digital file in Azure blob storage, I want to provide a link to that file in my static website (that has no server side code). When a user clicks on that link user should be able to download that digital file to his/her computer. Question: How do you get the url of a digital file stored in Azure blob storage?
Each blob in Azure Storage has a URL of the following format:
https://account.blob.core.windows.net/container/blob
Where:
account is the name of your storage account, container is the name of your blob containerandblob` is the name of your blob.
Now that your requirement is that a user should be prompted to download the file directly without using any server-side code, these are the additional things you would need to do:
Make sure that the blob container's ACL is either set to Blob (recommended) or Public. If you set the ACL to Private, then you would need a Shared Access Signature (SAS) and that would require some server-side code.
Either set the content-type of the blob to application/octet-stream (default content type for any blob in Azure Storage) or set the content-disposition property to attachment; filename="your file name" to force the file download instead of displaying it inside the browser only. Recommended approach is to use content-disposition property.
my goal is to restrict access to a Azure Data Lake Gen 2 storage on a directory level (which should be possible according to Microsoft's promises).
I have two directories data, and sensitive in a data lake gen 2 container. For a specific user, I want to grant read access to the directory data and prevent any access to directory sensitive.
Along the documentation I removed all RBAC assignements for that user (on storage account as well as data lake container) so that I have no inherited read access on the directories. Then I added a Read-ACL statement to the data directory for that user.
My expectation:
The user can directly download files from the data directory.
The user can not access files of the sensitive directoy
Reality:
When I try to download files from the data directory I get a 403 ServiceCode=AuthorizationPermissionMismatch
az storage blob directory download -c containername -s data --account-name XXX --auth-mode login -d "./download" --recursive
RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
I expect that this should work. Otherwhise I only can grant access by assigning the Storage Blob Reader role but that applies to all directory and file within a container and cannot be overwritten by ACL statements. Did I something wrong here?
According to my research, if you want to grant a security principal read access to a file, we need to give the security principal Execute permissions to the container, and to each folder in the hierarchy of folders that lead to the file. for more details, please refer to the document
I found that I could not get ACLs to work without an RBAC role. I ended up creating a custom "Storage Blob Container Reader" RBAC role in my resource group with only permission "Microsoft.Storage/storageAccounts/blobServices/containers/read" to prevent access to listing and reading the actual blobs.
I have created blob container to upload files from user side, I need to restrict user to create any other folder inside that container.
I have tried creating access policy and all, nothing help on this.