1

I'm trying to programmatically set access policies on containers within a storage account. Ideally I'd like to do this using Managed Identity but it looks like it's not support at the moment (see here).

So at present it looks like I need to use the storage account key so the container client can create access policies. This brings me to the main part of my question. Is it best practice to store these keys in key vault and retrieve them using the managed identity or retrieve them directly? Keeping keys in key vault like this is stated as legacy though (or perhaps it's just those specific methods as Azure CLI is legacy as well). So it looks like this has fallen through the cracks somehow in that in 1 place it's stated as legacy but in another it's not supported yet.

If I opt for the direct route, what is the best way to do this? Can I still use the managed identity in this case? Looking here it looks like I can, as it uses Azure Active Directory, which is what I believe backs managed identity.

At the moment it's very confusing how I should programmatically set access policies to a container, but hopefully someone else has come across this need and has got a good example.

sr28
  • 4,728
  • 5
  • 36
  • 67
  • 2
    You may consider changing the title, since "What is the best way to ..." is a secure road to "Close because it is oponion-based." I find the question legit, though (upvoted), so it would be sad to see it being closed for the title. – Fildor May 23 '22 at 08:12
  • @Fildor - good point. I've updated the title. – sr28 May 23 '22 at 08:20
  • you could also disable access key and relay on RBAC. granting permissions to your managed identity. which language / technology are your using ? – Thomas May 23 '22 at 09:15
  • @Thomas - the managed identity has 'Owner' permission on the storage account. So if that was supported that should be enough to modify access policies, but after testing it and reading the docs again it looks like it's not supported. I'm using c#. – sr28 May 23 '22 at 09:17
  • the RBAC data roles are different from the management roles. you have specific roles to access data such as `Storage Blob Data Contributor, Storage Queue Data Contributor, Storage Table Data Contributor`. It is working, You can disable access key and only relay on RBAC. – Thomas May 23 '22 at 10:23
  • @Thomas - but none of those roles have the ability to add access policies to the container. I want to add / remove access policies on containers so that when I generate a SAS from that policy I can also easily remove the SAS access by removing the policy. – sr28 May 23 '22 at 15:25

1 Answers1

0

If I opt for the direct route, what is the best way to do this?

As you mentioned in the question, Storage Accounts - List Keys is the way to go for fetching access keys for a storage account.

Can I still use the managed identity in this case?

Yes, you most certainly can. Please ensure that your Managed Identity has permissions to perform List Keys operation on the storage account. Owner and Contributor roles definitely have that permission but you can also opt for Storage Account Contributor or Storage Account Key Operator Service Role role if you do not want to assign your Managed Identity more powerful roles like Owner or Contributor.

Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • Thanks for your answer. What's the difference between using that method listed above and this one here: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.storage.istorageaccountsoperations.listkeyswithhttpmessagesasync?view=azure-dotnet#microsoft-azure-management-storage-istorageaccountsoperations-listkeyswithhttpmessagesasync(system-string-system-string-system-nullable((microsoft-azure-management-storage-models-listkeyexpand))-system-collections-generic-dictionary((system-string-system-collections-generic-list((system-string))))-system-threading-cancellationtoken) – sr28 May 23 '22 at 10:02
  • 1
    The one I mentioned is the REST API operation and the one you linked is the implementation of the same in the SDK. So if you are using the SDK, you would use the method you linked which in turn will call the REST API. – Gaurav Mantri May 23 '22 at 10:11
  • I'm still a little confused about this. I don't see how you can do this using Managed Identity. With the link above for 'List Keys' this shows an auth url. When googling more on how to authorize it says you need to get a token using a whole load of params like tenant id etc. Nothing about Managed Identity. https://github.com/Azure-Samples/storage-dotnet-resource-provider-getting-started – sr28 May 24 '22 at 08:17
  • 1
    When you acquire a token, you acquire it for a user (that user could be you or a service principal or a managed identity). – Gaurav Mantri May 24 '22 at 09:32