1

Can anyone confirm that to make a REST requestd to Azure storage we have to do these steps?

  1. Create an App Registration and get its client ID and client secret
  2. Goto API permissions -> Add permission -> Azure storage, add user_impersonation as API permission that would allow the Application to access the Storage account on behalf of the signed-in user.
  3. Goto Access control IAM -> Add role -> assign the given signed-in user (email) whichever role that you like.
  4. Next you can now access the token to make the request.

In this logic, one has to grant the read/write/complete-storage-account access to the Role in step 3 and then impersonate that behavior to App created.

But let's say that I want to grant these levels of access while the token request. Shown in fig: enter image description here

Can I do so? That I get these read/write/owner kind of different permissions while accessing the token. If not then how can I manage different access levels?

  • Should I use multiple users
  • Should I use multiple applications
ΩmegaMan
  • 29,542
  • 12
  • 100
  • 122
Mayank Patel
  • 346
  • 3
  • 18
  • From your description, you want to get different tokens with different permissions? – Joy Wang Apr 15 '21 at 07:49
  • Yes, something like that. What I want is that my customer doesn't have to create multiple users, apps to manage different roles/access(read/write/delete) on the Azure portal instead can I can do it for him through code using REST calls? – Mayank Patel Apr 15 '21 at 07:59

1 Answers1

1

You don't need multiple applications, but multiple users are needed, when you use the Delegated permission user_impersonation of Azure Storage API i.e. https://storage.azure.com/user_impersonation in the scope, the app will get all the permissions of the user in the storage account after user login. Besides, I notice you used https://myaccount.blob.core.windows.net/user_impersonation, which just works for a specific storage account, make sure it meets your requirement.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • In my last discussion with @PamelaPeng she suggested myaccount.blob.core.windows.net [link](https://stackoverflow.com/questions/66525481/authorization-permission-mismatch-when-trying-to-put-a-file-in-azure-blob-with-a) and it works for me so whats exactly difference between the two? Coming to the main question can I give read/write/owner access while generating access tokens or it can be done only through user_impersonation? – Mayank Patel Apr 15 '21 at 08:36
  • @MayankPatel 1.`https://myaccount.blob.core.windows.net` just works for one specific storage account, if it meets your scenario, just ignore it. 2.No, the permissions e.g. `read/write` is the action permission defined in the RBAC roles, when you request the token, we need to pass the permission exposed by the API i.e. user_impersonation, which means it can be done only through user_impersonation. – Joy Wang Apr 15 '21 at 08:51