Grant Azure User Write Access to Storage Account

Author

Reads 677

Close-Up Shot of a Person Using a Laptop
Credit: pexels.com, Close-Up Shot of a Person Using a Laptop

To grant Azure user write access to a storage account, you'll first need to create a new role assignment in the Azure portal. This can be done by navigating to your storage account, selecting "Access control (IAM)", and then clicking on "Add role assignment".

The "Storage Blob Data Contributor" role is a good starting point, as it allows users to write to the storage account. You can find this role by searching for it in the "Role" dropdown menu.

To assign this role to a specific user, you'll need to enter their Azure AD username or email address in the "Members" field. Make sure to select the correct subscription and resource group before clicking "Save".

For your interest: Azure Blob Storage Access

Azure Storage Permissions

Azure provides built-in roles for authorizing access to blob and queue data using Azure AD and OAuth, such as Storage Blob Data Owner, Storage Blob Data Contributor, and Storage Blob Data Reader.

To access file data in the Azure portal, you'll need specific permissions, which are often provided via Azure role-based access control (Azure RBAC).

Credit: youtube.com, Azure Files - Assign Azure Permissions to Users/Groups That Require Access 11/13

To manage access to resources, Azure RBAC defines who has access to resources and what they can do with those resources, using role definitions and role assignments.

Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access Azure storage data.

Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account via Azure AD.

However, if a role includes the Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys.

To grant a user write access to a storage account, you'll need to assign a role that includes the necessary permissions, such as Storage Blob Data Contributor.

Here's a summary of the built-in roles for blob and queue data:

  • Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2.
  • Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
  • Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
  • Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.

Azure Roles and Authentication

Credit: youtube.com, Azure Storage AD RBAC Authentication | Role Based Access Configuration

Azure provides built-in roles for authorizing access to blob and queue data using Azure AD and OAuth, including Storage Blob Data Owner, Storage Blob Data Contributor, and Storage Blob Data Reader.

To access blob or queue data, only roles explicitly defined for data access are permitted. Built-in roles such as Owner, Contributor, and Storage Account Contributor permit management of a storage account, but do not provide access to the blob or queue data.

The Storage Blob Delegator role allows you to get a user delegation key to create a shared access signature that is signed with Azure AD credentials for a container or blob.

Here are the built-in roles for authorizing access to blob and queue data:

  • Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2.
  • Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
  • Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
  • Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.

Assign Azure Role

To assign an Azure role, you need to choose from the built-in roles provided by Azure for authorizing access to blob and queue data. These roles include Storage Blob Data Owner, Storage Blob Data Contributor, Storage Blob Data Reader, and Storage Blob Delegator.

Related reading: What Is Azure Storage

Credit: youtube.com, AZ-900 Episode 28 | Azure Role-based Access Control (RBAC)

Each role has specific permissions that determine what actions a user can perform on blob and queue data. For example, the Storage Blob Data Owner role allows users to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2.

If you want to grant read-only permissions to a user, you can assign the Storage Blob Data Reader role. This role only allows users to read blob storage resources, but not write or delete them.

To manage a storage account, you can assign the Owner, Contributor, or Storage Account Contributor role, but these roles do not provide access to the blob or queue data within that account via Azure AD.

Here are the built-in roles for authorizing access to blob and queue data:

  • Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2.
  • Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
  • Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
  • Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.

Keep in mind that built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account via Azure AD.

Authenticate with Access Key

Credit: youtube.com, What are RBAC Roles in Azure and How to Use Them

To authenticate with an access key, you'll need to switch to using the account access key. Select the link that says Switch to access key to proceed.

If you have access to the storage account key, you'll be able to list data. However, if you lack access to the account key, you'll see an error message stating that you don't have permissions to use the access key to list data.

No file shares will appear in the list if you don't have access to the storage account access key.

Azure Storage Conditions Overview

Azure Storage conditions allow you to fine-tune access to your storage resources by using role assignment conditions that evaluate specific attributes during authorization.

You can use conditions with Azure built-in roles or custom roles, but keep in mind that conditions aren't supported for management Actions through the Storage resource provider.

Conditions are an additional check that is evaluated when an action on the storage resource is being authorized, and they can be used to enable finer-grained access to resources.

Credit: youtube.com, Stored Access Policy Vs Shared Access Signature (SAS) - Azure Blob Storage Access Permissions

For example, you can grant a user read access to blobs in your storage accounts only if the blobs are tagged as Project=Sierra.

The benefits of using role assignment conditions include reducing the number of role assignments you have to create and manage, and expressing access control rules in terms of attributes with business meaning.

You can use conditions with a custom role or select built-in roles, such as Storage Blob Data Reader, Storage Blob Data Contributor, or Storage Blob Data Owner.

However, keep in mind that blob index tags are not supported for Data Lake Storage storage accounts, which use a hierarchical namespace.

The Azure role assignment condition format allows the use of @Principal, @Resource, @Request or @Environment attributes in the conditions.

Here's a quick rundown of the supported attributes and operations:

  • @Principal: a custom security attribute on a principal, such as a user, enterprise application (service principal), or managed identity.
  • @Resource: an existing attribute of a storage resource that is being accessed, such as a storage account, a container, or a blob.
  • @Request: an attribute or parameter included in a storage operation request.
  • @Environment: the network environment or the date and time of a request.

Remember to carefully design and review your conditions to ensure they have the intended effect.

Scenario and Attributes

To allow an Azure user to write to a storage account, you need to consider the scenario and attributes involved.

Credit: youtube.com, How to give access to storage account in Azure

The user must have the necessary permissions to write to the storage account, typically granted through the Azure role-based access control (RBAC) system.

The user's identity must be properly configured to authenticate with Azure, which can be achieved through Azure Active Directory (AAD) or Azure Active Directory B2C (AAD B2C).

Azure storage accounts have different types, such as general-purpose v2, blob storage, and file storage, each with its own set of permissions and attributes.

Additional reading: Azure Active Directory Users

Scenario 4

In Scenario 4, you need to access the Data Lake Storage Gen2 through an Azure Data Factory resource to view data inside a specific directory in a container.

Data Plane RBAC roles are applied to all containers, so you can't restrict access to specific containers, which is why you need to configure ACLs in this scenario.

The requirement to access the data plane means only data plane RBAC roles or ACLs will work, eliminating other options.

To access data in a specific directory, you'll need to configure ACLs, which is a more granular approach than Data Plane RBAC roles.

For more insights, see: Azure Blob Storage Roles

Scenario 6

Credit: youtube.com, Rapid Identity Demos - Scenario 6 Intro

Scenario 6 is a specific case where you need to access a Data Lake Storage Gen2 through Microsoft Azure Storage Explorer at a specific Blob directory level, allowing the user to read and write.

The requirement here is to access a specific blob directory data using Microsoft Azure Storage Explorer, which means only data plane level access is needed, with the caveat that the user needs to be able to read and write.

In this case, only ACLs (Access Control Lists) are needed to set up.

The ACLs should be setup as something similar to the example provided, which will allow the user to access the data.

However, if the user tries to go up all the levels and list the containers, they won't be able to, since this will be the control plane realm which the ACLs won't give access to.

Here are the different access requirements summarized:

  • Access to containers data through the Azure portal requires control and data plane (RBAC + ACLs).
  • Access to containers data through an external tool requires data plane access, with RBAC data plane roles or ACLs.
  • Access to storage account operations requires control plane access, regardless of the access method.

Patricia Dach

Junior Copy Editor

Patricia Dach is a meticulous and detail-oriented Copy Editor with a passion for refining written content. With a keen eye for grammar and syntax, she ensures that articles are polished and error-free. Her expertise spans a range of topics, from technology to lifestyle, and she is well-versed in various style guides.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.