list storage ACL via Service pricipal

Question

i want to run this API - Path(get - properties) but rather than using SAS, Access Key. I want to use AD based authentication. how to achieve that?

the signature that we sent via header currently looks like

'Authorization' : 'SharedKey {storage_account_name} : {signed_string}'

I have a reference of another article where they are talking about AD and storage. I have completed this step.

but after getting bearer token, how to use it to get ACL at storage level?

Setup:

After setting up application as following

I still got error while running it via Postman and Python code.

score 0 · Answer 1 · answered Sep 19 '22 at 08:21

0

I tried to reproduce the same in my environment and got the below results

I registered one application in Azure AD and added API permissions for Azure Storage like below:

enter image description here

Make sure whether you have required permissions or not before running the query.

Now, I generated bearer token using ROPC flow with below parameters:

POST https://login.microsoftonline.com/tenantId/oauth2/v2.0/token

client_id : xxxxxx-xxx-xxx-xxxx-xxxxxxxx
grant_type : password
scope : https://storage.azure.com/user_impersonation
username : sri@********.onmicrosoft.com
password : ******
client_secret : ************

enter image description here

After getting the bearer token, I ran the same query as below and got ACL in x-ms-acl response header successfully:

HEAD https://<storageacc_name>.dfs.core.windows.net/testfile/path.txt?action=getAccessControl&upn=true

Authorization: Bearer <paste_bearer_token_here>
x-ms-version: 2021-06-08

Response:

enter image description here

Please note that, Authorization header must be Bearer <token> while using Azure AD based authentication.

answered Sep 19 '22 at 08:21

Sridevi

10,599
1
4
17

thanks for responding. this is what i was looking for. but i am stuck. I followed first step and was able to create a App and was able to get ADMIN consent for user_impersonation . I am sending my email and password (which i use to login to azure too). how to give myself permission to access that APP? fyi: i am owner of that APP (and i created it). i have correct ID and secret. but when i am trying to get token, i am getting "error_uri": "https://login.microsoftonline.com/error?code=50126" – Rakesh Prasad Sep 22 '22 at 11:56
What RBAC roles you currently have on your Azure account? – Sridevi Sep 22 '22 at 12:10
4 Roles => Billing Reader @ Management group | Contributor @ Subscription level | Reader @ Subscription level | Security Reader @ Subscription level – Rakesh Prasad Sep 22 '22 at 13:52
I created one user by adding those 4 roles. By signing in with that user's account, I created one app, and I can generate token with that user's credentials. Could you please provide the screenshot of Postman with error? – Sridevi Sep 22 '22 at 14:08
added details in my original post. does it has to do anything to do with interactive login and postman not able to do it? =>https://learn.microsoft.com/en-us/answers/questions/385629/aadsts50126-error-validating-credentials-due-to-in-1.html because if that is a reason, i am not sure i can change any setting at company wide level. – Rakesh Prasad Sep 23 '22 at 00:51
Please note that, ROPC flow only supports Azure AD user accounts that are created in AAD tenant where application is created. **Ex**: sri@tenant.onmicrosoft.com – Sridevi Sep 23 '22 at 00:58
Try creating one new Azure AD user and assign same roles to that user. Now, sign in with that new user credentials and repeat the entire process. – Sridevi Sep 23 '22 at 00:59
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/248274/discussion-between-sridevi-and-rakesh-prasad). – Sridevi Sep 23 '22 at 01:25

list storage ACL via Service pricipal

1 Answers1