I am trying to understand few points about delegating authorization to Azure BLOB using Azure service principles.
How I configure Azure:
Create and Configure Service Principal: in Active Directory I created an application, created a key (password), and set its required permissions to access Azure Storage;
Configure IAM of Azure Storage: under Storage accounts section, I chose my storage account, and under IAM I assigned my account (my login account as [email protected]) to Storage BLOB Data Contributor role.
How I use the configuration in my client App:
- With the aforementioned configuration; my application takes tenant ID, client ID, client secret, and etc. and sends authorization request to
/authorizeendpoint. - Then a window pops-up and asks me to login (using e.g., [email protected]), and then a consent screen pops-up and asks for my permission to allow the service principal to read my Azure storage.
- After I approve, my client application receives OAuth2.0
code. - Then I exchange this
codewith anaccess_keyvia the/tokenendpoint.
Q1: does this access_key grant my client application same privileges as [email protected] or service principal?
Using the obtained access key I can read/write azure blob.
Q2: if [email protected] does not have read/write access (i.e., not assigned with the Storage BLOB Data Contributor role), my client app would not be able to read/write for the blob, regardless of the Service Principal's role. This is where I get confused, I am under the impression that my client App is assuming Service Principal, hence it will have same privileges as the Service Principal, not [email protected]. For instance, [email protected] can have Contributor role (i.e., read/write), while the service principle would be assigned with a Reader role. In that case, I would have a full access to BLOB storage, while my client app will have only a read access to the BLOB storage. However, it seems client app gets same permissions as [email protected]. What am I missing here?
