list ACL for storage

Question

i want to list access that were provided on storage via ACL.

Is there a API solution for this?

I want to list all entities (AD group, Service Principal etc) (like one marked in green) that has access to storage via ACLs

Idea is to create audit platform which can list all access that are provided via ACL

I tried path, as suggested in one of the comment. "x-ms-acl" is missing in response. (refer screenshot)

after changing blob to "dfs" in blob, it worked.

Gaurav Mantri · Accepted Answer · 2022-09-16T07:10:12.597

1

The API you would want to use is Path - Get Properties with action query parameter as getAccessControl. This should return you ACL in x-ms-acl response header.

You will need to use DFS endpoint (instead of blob endpoint).

If you are using Azure.Storage.Files.DataLake (.Net SDK for Azure DataLake), the method you would want to use is DataLakeDirectoryClient.GetAccessControlAsync.

edited Sep 16 '22 at 07:10

answered Sep 16 '22 at 05:07

Gaurav Mantri

128,066
12
206
241

modified original post. – Rakesh Prasad Sep 16 '22 at 06:49
I believe you will need to use `dfs` endpoint instead of `blob` endpoint. Can you try with `https://account.dfs.core.windows.net`? – Gaurav Mantri Sep 16 '22 at 06:53
worked. now some thought experiment. how to create an audit system? going recursive inside each storage doesnt sound feasible and doing it on periodic basis might kill the process and storage itself. But i remember when i assign ACL, it says give execute to same user at all parent levels. so can i assume that all ACLs (atleast execute) has to start at container level itself? if that is true, i might just run above code at all container level. this is lengthy too, but still feasible. your thoughts? – Rakesh Prasad Sep 16 '22 at 08:05

list ACL for storage

1 Answers1