Azure Container level IAM Access assignment by REST call

0
votes

I am trying to give an AD user an IAM access (Storage Blob Data Reader) to a Container by REST Api call.

My storage structure is like:- Subscription >> ResourceGroup >> Resource(i.e. a storage account) >>
Many Containers >> Some blobs under each container

Am able to provide Reader access for an user (who is in my Active Directory) to the StorageAccount Level through REST call using :-

https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/providers/Microsoft.Authorization/roleAssignments/ANY-UNIQUE-GUID?api-version=2015-07-01 HEADER: [{"key":"Content-Type","value":"application/json"}] [{"key":"Authorization","value":"Bearer Token"}] BODY: { "properties": { "roleDefinitionId": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/providers/Microsoft.Authorization/roleDefinitions/READER-ACCESS-GUID", "principalId": "AD-USER-OBJECT-ID" } }

Please help me to assign a role for that user at any particular container (not all) level under the storage account, as well, so that he/she can read/write any blob inside that container.

Thank you!

NOTE: I tried with: -
https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/path/CONTAINER-NAME/providers/Microsoft.Authorization/roleAssignments/ANY-UNIQUE-GUID?api-version=2018-07-01

In Postman it returns status Code 201 and number of role assignment is shown increased by 1 in azure portal, but the user can not see any blob inside that Container.

Please help or let me know if you need any more info.

1
restazure-storageazure-management-apirole-based-access-control
According to my understanding, you want to use Azure AD Auth to access Azure blob storage. You need to assign Azure RABC role(such as Storage Blob Data Reader) to the user. For more details, please refer to docs.microsoft.com/da-dk/azure/storage/common/storage-auth-aadJim Xu
Yes you are right @Jim Xu! But I too tried that link you provided. I am able to give the access manually from the portal to any Container. But I want to do it by REST Api. Am not finding any PUT call for giving this access.Subhrangsu
If you want to assign role to user, you can try to use the Azure rest api : docs.microsoft.com/en-us/rest/api/authorization/roleassignments/…Jim Xu
Thanks for your quick follow up! I have already gone through that link. But using that am able to provide access till resource or Storage Account level, not below that, like Container level. Need help to form Rest url for that.Subhrangsu
When you call the azure est api to assign role, the container scope should be like subscriptions/<subscription id>/resourceGroups/<group name>/providers/Microsoft.Storage/storageAccounts/<account name>/blobServices/default/containers/<container name>Jim Xu

1 Answers

1
votes

According to my understanding, you want to use Azure AD Auth to access Azure blob storage. You need to assign Azure RABC role(such as Storage Blob Data Reader) to the user. For more details, please refer to https://docs.microsoft.com/da-dk/azure/storage/common/storage-auth-aad

Regarding how to assign tole to one user with rest api, please refer to the following steps

  1. Register Azure AD application

  2. Configure API permissions enter image description here

  3. Call the rest api in the postman

    a. get access token enter image description here enter image description here

    b. get role name and role id

    GET  https://management.azure.com/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq '<the role your need such as Storage Blob Data Contributor>'&api-version=2018-01-01-preview

Header:
      Authorization: Bearer <token>

    enter image description here

    c. assign role

    PUT https://management.azure.com/<your scope> /providers/Microsoft.Authorization/roleAssignments/<role name>?api-version=2018-01-01-preview
Header:
     Authorization: Bearer <token>
     Content-Type: application/json
Body
    { "properties": {
"roleDefinitionId": "<role id>",
"principalId": "<The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.>"
}}

    Please note that the container scope should be like subscriptions/<subscription id>/resourceGroups/<group name>/providers/Microsoft.Storage/storageAccounts/<account name>/blobServices/default/containers/<container name> enter image description here

  4. Check with Storage Explorer. For more details, please refer to the document a. Select the Connect symbol to open Connect to Azure Storage.

    b. Connect to Azure storage option

    b. If you haven't already done so, use the Add an Azure Account option to sign in to the Azure account that has access to the resource. After you sign in, return to Connect to Azure Storage.

    c. Select Add a resource via Azure Active Directory (Azure AD), and then select Next.

    d. Select an Azure account and tenant. These values must have access to the Storage resource you want to attach to. Select Next. enter image description here

    e. Choose the resource type you want to attach. Enter the information needed to connect.

    The information you enter on this page depends on what type of resource you're adding. Make sure to choose the correct type of resource. After you've entered the required information, select Next. enter image description here

    f. Review the Connection Summary to make sure all the information is correct. If it is, select Connect. Otherwise, select Back to return to the previous pages to fix any incorrect information.

enter image description here