0

I am trying to give an AD user an IAM access (Storage Blob Data Reader) to a Container by REST Api call.

My storage structure is like:- Subscription >> ResourceGroup >> Resource(i.e. a storage account) >>
Many Containers >> Some blobs under each container

Am able to provide Reader access for an user (who is in my Active Directory) to the StorageAccount Level through REST call using :-

https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/providers/Microsoft.Authorization/roleAssignments/ANY-UNIQUE-GUID?api-version=2015-07-01 HEADER: [{"key":"Content-Type","value":"application/json"}] [{"key":"Authorization","value":"Bearer Token"}] BODY: { "properties": { "roleDefinitionId": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/providers/Microsoft.Authorization/roleDefinitions/READER-ACCESS-GUID", "principalId": "AD-USER-OBJECT-ID" } }

Please help me to assign a role for that user at any particular container (not all) level under the storage account, as well, so that he/she can read/write any blob inside that container.

Thank you!

NOTE: I tried with: -
https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/path/CONTAINER-NAME/providers/Microsoft.Authorization/roleAssignments/ANY-UNIQUE-GUID?api-version=2018-07-01

In Postman it returns status Code 201 and number of role assignment is shown increased by 1 in azure portal, but the user can not see any blob inside that Container.

Please help or let me know if you need any more info.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
Subhrangsu
  • 3
  • 5
  • According to my understanding, you want to use Azure AD Auth to access Azure blob storage. You need to assign Azure RABC role(such as Storage Blob Data Reader) to the user. For more details, please refer to https://learn.microsoft.com/da-dk/azure/storage/common/storage-auth-aad – Jim Xu Feb 12 '20 at 01:30
  • Yes you are right @Jim Xu! But I too tried that link you provided. I am able to give the access manually from the portal to any Container. But I want to do it by REST Api. Am not finding any PUT call for giving this access. – Subhrangsu Feb 12 '20 at 05:12
  • If you want to assign role to user, you can try to use the Azure rest api : https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/create – Jim Xu Feb 12 '20 at 07:22
  • Thanks for your quick follow up! I have already gone through that link. But using that am able to provide access till resource or Storage Account level, not below that, like Container level. Need help to form Rest url for that. – Subhrangsu Feb 12 '20 at 09:49
  • When you call the azure est api to assign role, the container scope should be like `subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts//blobServices/default/containers/` – Jim Xu Feb 12 '20 at 10:04
  • Do you have any other concerns? – Jim Xu Feb 12 '20 at 13:41
  • You are awesome MAN! Thank you very much @Jim Xu ! – Subhrangsu Feb 12 '20 at 14:08
  • Hi Jim, I created a new question as "Read/View a Blob (PDF File) programatically in Browser for an Authenticated AD User (Role Based Access Given to the Container level)" – Subhrangsu Feb 13 '20 at 14:03

1 Answers1

1

According to my understanding, you want to use Azure AD Auth to access Azure blob storage. You need to assign Azure RABC role(such as Storage Blob Data Reader) to the user. For more details, please refer to https://learn.microsoft.com/da-dk/azure/storage/common/storage-auth-aad

Regarding how to assign tole to one user with rest api, please refer to the following steps

  1. Register Azure AD application

  2. Configure API permissions enter image description here

  3. Call the rest api in the postman

    a. get access token enter image description here enter image description here

    b. get role name and role id

    GET  https://management.azure.com/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq '<the role your need such as Storage Blob Data Contributor>'&api-version=2018-01-01-preview

Header:
      Authorization: Bearer <token>

    enter image description here

    c. assign role

    PUT https://management.azure.com/<your scope> /providers/Microsoft.Authorization/roleAssignments/<role name>?api-version=2018-01-01-preview
Header:
     Authorization: Bearer <token>
     Content-Type: application/json
Body
    { "properties": {
"roleDefinitionId": "<role id>",
"principalId": "<The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.>"
}}

    Please note that the container scope should be like subscriptions/<subscription id>/resourceGroups/<group name>/providers/Microsoft.Storage/storageAccounts/<account name>/blobServices/default/containers/<container name> enter image description here

  4. Check with Storage Explorer. For more details, please refer to the document a. Select the Connect symbol to open Connect to Azure Storage.

    b. Connect to Azure storage option

    b. If you haven't already done so, use the Add an Azure Account option to sign in to the Azure account that has access to the resource. After you sign in, return to Connect to Azure Storage.

    c. Select Add a resource via Azure Active Directory (Azure AD), and then select Next.

    d. Select an Azure account and tenant. These values must have access to the Storage resource you want to attach to. Select Next. enter image description here

    e. Choose the resource type you want to attach. Enter the information needed to connect.

    The information you enter on this page depends on what type of resource you're adding. Make sure to choose the correct type of resource. After you've entered the required information, select Next. enter image description here

    f. Review the Connection Summary to make sure all the information is correct. If it is, select Connect. Otherwise, select Back to return to the previous pages to fix any incorrect information.

enter image description here

Jim Xu
  • 21,610
  • 2
  • 19
  • 39
  • It worked fine !! Thank you Jim for your effort, follow up and quick turn arround time. GREAT! – Subhrangsu Feb 12 '20 at 14:08
  • Hi, Jim Xu, Can you please help me by giving any REST Get Url to view a Blob file for an user who already has Storage Blob Data Reader Access at container level. – Subhrangsu Feb 13 '20 at 09:56
  • @Subhrangsu please refer to https://learn.microsoft.com/en-us/rest/api/storageservices/operations-on-blobs – Jim Xu Feb 13 '20 at 10:06
  • Yes, got that. But, when I am placing this https://myaccount.blob.core.windows.net/mycontainer/myblob in my browser's new tab showing ResourceNotFound. I am already logged in with that user who have Storage Blob Data Reader access to the container. – Subhrangsu Feb 13 '20 at 10:24
  • Am unable to attach any image.Trying to explain below: I tried this: https://videostoragelearn.blob.core.windows.net/test10/DLBook.pdf Where container=test10 .Here The user having Role based Access(IAM) for storage blob data reader. DLBook.pdf =blob. In the first Tab I opened the portal.azure site logged in with the user and in the sencond tab I want to open that blob. But got Error: The specified resource does not exist. RequestId:3f73b4ef-601e-0057-575b-e2413a000000 Time:2020-02-13T10:53:53.0780528Z – Subhrangsu Feb 13 '20 at 10:50
  • @Subhrangsu To make me better understand your issue and help you, I suggest you create a new issue. You can call me and I will continue to help you. – Jim Xu Feb 13 '20 at 11:07
  • Yes you are right. We can close this here. Will surely create a new .Thanks for all the help – Subhrangsu Feb 13 '20 at 13:09