Storage Access
Blob Storage Access
There are multiple ways to access blob storage. Ref.
👉 One way is to use the account access key. Ref. This method should not be generally used, because it gives an all-powerful level of access.
To access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action
Microsoft.Storage/storageAccounts/listkeys/action.👉 Another way to access blob storage is through an Entra ID User Account and RBAC.
👉 Using a Shared Access Signature (SAS) is another way to get access to blob storage that embeds the necessary credentials in a URL. It provides time-bounded access.
- By default a SAS is created based on the account access keys and can only be revoked by rotating the access keys used to generate it. But that could affect other things that were using the key, so it's not ideal.
- Alternatively, an Access Policy can be created and used to create the SAS. After that the SAS can be revoked by deleting the policy. This will only affect other things that use the policy.
- SAS can be assigned at the account or service level.
Entra ID/RBAC Roles
- Storage Account Contributor - Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.
- Storage Blob Data Contributor - Read, write, and delete Azure Storage containers and blobs.
- The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It doesn't provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can navigate to blob containers in the Azure portal.
☝️This bit is tricky, review it carefully.
- Reader and Data Access role - Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.
§§§
The Azure Storage firewall provides access control for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when you're using private endpoints. Your firewall configuration also enables trusted Azure platform services to access the storage account.
azcopy
- The azcopy CLI tool only supports Entra ID and SAS for authentication for blob storage, not account keys. And it only supports SAS for file storage.
- You can use the azcopy make command to create a container.