What is the identity property for Azure Storage arm templates for?

1
votes

Looking at the ARM template documentation for Azure Storage accounts there is a field called identity (in API Version: 2018-02-01).

What is identity for in a storage account used for? The documentation is rather vague stating "The identity of the resource" which isn't very helpful.

Deducing what it could be...

In data factory the identity is the service principal or managed service identity being used, but I can't see how an identity is used for a storage account?

Taking a guess...

Is it something to do with Data Lake Store Gen2?

Or perhaps similarly to do with Active Directory authentication (it didn't say in the AD auth preview docs)? Maybe assigning an identity gives it enough information to hook into Active Directory? SQL server takes a similar approach where if you assign an AD admin it enables AD authentication.

Or perhaps to do with syncing across storage accounts? Perhaps giving it an identity for when it's talking to another storage account for using Azure File Sync or something?

1
azure-storageazure-managed-identity

1 Answers

1
votes

You're right on the matter of using the identity object to hook into AD:

A system assigned identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system assigned identity is directly tied to the Azure service instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

Source: https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview

I connected the dots from this documentation section 3, which discusses enabling the system assigned identity, which is the same property discussed in the storage ARM template documentation you were referring to. I'd recommend to leave a comment feedback on the github documentation for more calcification. This would also be helpful to the Azure community.