give acess to users in directory StorageV2 (general purpose v2) - azure

there are some directories in StorageV2 (general purpose v2) as shown below
My role is contributor I want to give access for a user to read W the directory named '2000' and all its subdirectories How can I do this? Is this possible with Powershell.
It would be really nice if you can help

You can do this with the Azure CLI which can be run in Powershell. You should be able to do this as a contributor with the az role assignment create command.
Keep in mind that permissions with this command are granted at the container scope. Data Lake storage could be used to give folder level permissions. Blob storage doesn't actually have folders, it's just displayed that way so that it is easier to navigate.
az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee <email> \
--scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"

Related

Inconsistent authorization warning and error while using az storage entity query

When I issue the following command:
az storage entity query --account-name acc1 --table-name table1
I successfully get my query result with the following warning:
There are no credentials provided in your command and environment, we will query for account key for your storage account.
It is recommended to provide --connection-string, --account-key or --sas-token in your command as credentials.
You also can add `--auth-mode login` in your command to use Azure Active Directory (Azure AD) for authorization if your login account is assigned required RBAC roles.
For more information about RBAC roles in storage, visit https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-cli.
In addition, setting the corresponding environment variables can avoid inputting credentials in your command. Please use --help to get more information about environment variable usage.
To avoid above warning, I add --auth-mode login to the command:
az storage entity query --account-name acc1 --table-name table1 --auth-mode login
Then I get this error:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.
My account is able to get the query result without --auth-mode login switch. Why it fails authorization with the switch?
When you don't specify the authentication type, it will try yo get the access key of the storage account:
This requires Microsoft.Storage/storageAccounts/listkeys/action permission. If you have contributor role oier the storage account, you have the required permission.
--auth-mode login means it will use AAD auth to connect to the storage. You can use of the built-in roles to access the storage (see documentation):
Storage Table Data Contributor
Storage Table Data Reader
When using AAD Auth, you could also disable access key authentication.
There is an good article related to RBAC management and data plane model:
Assign an Azure role for access to blob data.

Cannot assign Azure Role for cosmos db

I am trying to assign an identity a role to read/write to cosmos db. I run this command:
az role assignment create \
--assignee <sp_object_id> \
--role "00000000-0000-0000-0000-000000000002" \
--scope "/subscriptions/<subscriptionId>/resourceGroups/<resource-group-name>/providers/Microsoft.DocumentDB/databaseAccounts/<cosmos-db-name>"
This is the error I get back:
The specified role definition with ID '00000000000000000000000000000002' does not exist.
I have tried with the role name to no avail. I have tried the GUI, but this role is not visible anywhere there.
How can I assign this role?
The RBAC on Azure Cosmosdb is built similar to Azure RBAC where there is more granular control on the data operations instead of Azure resource management. The permission model describes in detail.
During implementations where SDK are used to interact with the dataplane (e.g, writing data or reading data), the application should be provided with granular data level permissions. Data plane level permission cannot be given from the portal.
Following command provides "data contributor" permissions on the "container1" within the database but only "data reader" on "container2" within the same database
az cosmosdb sql role assignment create --account-name ${{ variables.cosmosdbAccountName }} --resource-group ${{ variables.resourceGroupName }} --role-definition-name "Cosmos DB Built-in Data Contributor" --scope "/dbs/${{ variables.cosmosdbAccountDatabaseName }}/colls/${{ variables.cosmosdbContainerOneName }}" --principal-id $(umiObjectId)
az cosmosdb sql role assignment create --account-name ${{ variables.cosmosdbAccountName }} --resource-group ${{ variables.resourceGroupName }} --role-definition-name "Cosmos DB Built-in Data Reader" --scope "/dbs/${{ variables.cosmosdbAccountDatabaseName }}/colls/${{ variables.cosmosdbContainerTwoName }}" --principal-id $(umiObjectId)
Again above example only shows usage of built-in CosmosDB Data Plane RBAC, it is good practice to have custom roles for more fine grained access within each container.
NOTE: Azure CosmosDB data containers are not Azure Resources, meaning cannot be created by Azure Resource Model (ARM). So this permission model fulfills the authorization need with many security benefits
It seems ordinary role commands do not work for cosmosdb, and this command should be used instead:
az cosmosdb sql role assignment create

Azure Storage blob delete cache permission issue

I have an Azure account with Owner permission for the subscription we have. I can see that two permissions existing for the same subscription, One is owner, and the other is Contributor. I am trying to delete the blob cache with the following Azure CLI command:
az storage blob delete-batch --source <containerName> --account-name <storageAccountName> --auth-mode login
I am getting the below error
I am not sure, despite having enough permissions why I am getting this error. Please help
Attaching the permission of my subscription
My access permission to storage account
If you set the --auth-mode parameter to login, it means that you use Azure AD auth to retrieve Azure blob data. If so, the Azure AD Azure AD security principal you used to login should be assigned to the role Storage Blob Data Owner Storage Blob Data Contributor or Storage Blob Data Reader. Otherwise, you have no permissions to process Azure blob.
Now, your account just has been assigned to Owner, please set the --auth-mode parameter to key which means that users attempt to retrieve the account access key to use for processing Azure blob. The Owner role has the permissions to do that.
For more details, please refer to here and here

Least privilege permissions for az storage blob upload-batch

Our CI pipeline needs to back up some files to Azure Blob Storage. I'm using the Azure CLI like this: az storage blob upload-batch -s . -d container/directory --account-name myaccount
When giving the service principal contributor access, it works as expected. However, I would like to lock down permissions so that the service principal is allowed to add files, but not delete, for example. What are the permissions required for this?
I've created a custom role giving it the same permissions as Storage Blob Data Contributor minus delete. This (and also just using the Storage Blob Data Contributor role directly) fails with a Storage account ... not found. Ok, I then proceeded to add more read permissions to the blob service. Not enough, now I'm at a point where it wants to do Microsoft.Storage/storageAccounts/listKeys/action. But if I give it access to the storage keys, then what's the point? With the storage keys the SP will have full access to the account, which I want to avoid in the first place. Why is az storage blob upload-batch requesting keys and can I prevent this from happening?
I've created a custom role giving it the same permissions as Storage Blob Data Contributor minus delete. This (and also just using the Storage Blob Data Contributor role directly) fails with a Storage account ... not found.
I can also reproduce your issue, actually what you did will work. The trick is the --auth-mode parameter of the command, if you did not specify it, it will use key by default, then the command will list all the storage accounts in your subscription, when it found your storage account, it will list the keys of the account and use the key to upload blobs.
However, the Storage Blob Data Contributor minus delete has no permission to list storage accounts, then you will get the error.
To solve the issue, just specify the --auth-mode login in your command, then it will use the credential of your service principal to get the access token, then use the token to call the REST API - Put Blob to upload blobs, principle see Authorize access to blobs and queues using Azure Active Directory.
az storage blob upload-batch -s . -d container/directory --account-name myaccount --auth-mode login

use Service Principal when reading azure blob

i followed the tutorial (below *)
and now have a Service Principal .
How can i use this Service Principal when reading a blob using Get-AzureStorageBlob ?
Get-AzureStorageBlob requires a New-AzureStorageContext , can i use the SP instead of the StorageAccountKey guid?
Thanks,Peter
https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/
As far as I know, you cannot use a SPN for accessing items in blob storage. You will need to use the access keys or SAS tokens.
Recently, Azure has added an option to Manage access rights to Azure Storage data with RBAC. You need to add one of the built-in RBAC roles scoped to the storage account to your service principal.
Storage Blob Data Contributor (Preview)
Storage Blob Data Reader (Preview)
Then, if you want to use the AzureCLI to access the Blob Storage with a Service Principal
Log in with a service principal
$ az login --service-principal --tenant contoso.onmicrosoft.com -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret \
Enable the preview extension
$ az extension add -n storage-preview
Use --auth-mode parameter with your AzureCLI command
$ az storage blob download --account-name storagesamples --container sample-container --name myblob.txt --file myfile.txt --auth-mode login
For more information please see:
Manage access rights to Azure Storage data with RBAC (Preview)
Use an Azure AD identity to access Azure Storage with CLI or PowerShell (Preview)
if your SPN has only reader role, you cannot access the storage w/o SAS or account key.
You can asign the SPN to contributor role and create SAS for other normal users.
then switch to other normal user to access the storage with SAS.

Resources