0

We earlier used sas token to access the storage account.Now the requirment is to not to use it. Is it possible for an azure app to access the storage account if it has owner access. I tried using it . But getting this error.

message": "The specified resource does not exist

the url we are using is

`https://${tableService.storageAccountName}.table.core.windows.net/tablename
Joji
  • 1
  • 1
  • 1
  • "Now the requirment is to not to use it" - so what is your new requirement then? To use the raw connection-keys? Or allow unauthenticated (i.e. public) access? What is the public-access setting on your container? – Dai May 10 '22 at 05:12
  • It is private only. We need to see, if the data can be accessed with RBAC – Joji May 10 '22 at 05:40
  • Then everything you need is in here: https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory – Dai May 10 '22 at 05:55

1 Answers1

0

Simply pointing to a storage account, without any form of credentials, will not work for a private storage account or container.
There are a couple of options you have to provide credentials to connect to a storage account, like using the connection strings containing the access keys or using Managed Identities for Azure resources.

Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens.

Here are some of the benefits of using managed identities:

  • You don't need to manage credentials. Credentials aren’t even accessible to you.
  • You can use managed identities to authenticate to any resource that supports Azure AD authentication, including your own applications.
  • Managed identities can be used without any additional cost.

Because of these benefits and the ease of use I would suggest you Authorize access to blob data with managed identities for Azure resources.

Azure Blob Storage supports Azure Active Directory (Azure AD) authentication with managed identities for Azure resources. Managed identities for Azure resources can authorize access to blob data using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.

Assign an RBAC role to a managed identity

When an Azure AD security principal attempts to access data in an Azure Storage account, that security principal must have permissions to the data resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to data in Azure Storage.

rickvdbosch
  • 14,105
  • 2
  • 40
  • 53