C# - Azure Storage with Managed Service Identity

Question

Has anyone managed to implement or has any documentation regarding Managed Service Identity(MSI) with Azure Storage - Ideally using Blob

My goal is to authenticate my WebApp/WebJob through MSI with Storage. After authentication has been setup I will then push blobs to Storage. The reason I need this is to eliminate any form of connectionstring and passwords from my app config.

Please edit your question and include more details regarding what you want to accomplish. — Gaurav Mantri, May 16 '18 at 08:38
There is sufficient info in the question to warrant an answer, which I have provided below. — Murray Foxcroft, May 16 '18 at 09:00
@MurrayFoxcroft Please go through the edit history of the question. The 2nd paragraph was added later on. — Gaurav Mantri, May 16 '18 at 09:04
I'm attempting to access Azure Storage from an Azure Function using a system assigned managed identity. And I'm encountering an `Unauthorized` exception. Details are at https://stackoverflow.com/q/56284486/852956 — CalvinDale, May 24 '19 at 00:46

Murray Foxcroft · Accepted Answer · 2018-09-20T08:54:07.717

7

Update Azure Blob Storage now supports MSI (Managed Service Identity) for "keyless" authentication scenarios! See the list of supported services here.

Old Answer

Unfortunately Blob Storage is not supported, either to have it's own identity or to provide access to services that have their own identity. The reason is because Blob Storage (all of Azure Storage) does not work with Azure Active Directory.

However you do have other options, like Azure Data Lake Store or SQL Server that can be accessed via MSI.

Also note that Key Vault is supported. In your case, I would create a SAS key to the storage with the relevant restrictions in place and then place the SAS key in Key Vault. Use MSI from your WebApp to retrieve the key from Key Vault. Interestingly, we have been able to build this configuration out using ARM templates, placing the trust in the WebApp MSI and the storage key in the Key Vault, with only the deployment account ever knowing the key, nice and secure, developers never see or need the SAS key...

You can find the list of services that support MSI (Managed Service Identity) at this link.

edited Sep 20 '18 at 08:54

answered May 16 '18 at 08:59

Murray Foxcroft

12,785
7
58
86

One more thing I would like to point out is that Azure AD based authentication/authorization is coming soon to Azure Storage. They have added some roles (like Storage Blob Reader etc.) recently. It's a different thing that they don't work today :). – Gaurav Mantri May 16 '18 at 09:06
1

Indeed, but if you have an app that needs it today, then you are out of luck :). Good to point out to "watch this space" - Azure keeps evolving – Murray Foxcroft May 16 '18 at 09:08
Completely agree with you on this. – Gaurav Mantri May 16 '18 at 09:09
Great, thanks for the info. – TheFreeman May 16 '18 at 10:49
2

Now Azure Storage is listed at that link as a service that supports MSI (in preview since May 2018). Is it time to update this answer? – oderibas Sep 20 '18 at 08:09
I have updated the answer, thanks. – Murray Foxcroft Sep 20 '18 at 08:54

C# - Azure Storage with Managed Service Identity

1 Answers1