Azure Container level IAM Access assignment by REST call
I am trying to give an AD user an IAM access (Storage Blob Data Reader) to a Container by REST Api call.
My storage structure is like:- Subscription >> ResourceGroup >> Resource(i.e. a storage account) >>
Many Containers >> Some blobs under each container
Am able to provide Reader access for an user (who is in my Active Directory) to the StorageAccount Level through REST call using :-
https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/providers/Microsoft.Authorization/roleAssignments/ANY-UNIQUE-GUID?api-version=2015-07-01
HEADER:
[{"key":"Content-Type","value":"application/json"}]
[{"key":"Authorization","value":"Bearer Token"}]
BODY:
{
"properties": {
"roleDefinitionId": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/providers/Microsoft.Authorization/roleDefinitions/READER-ACCESS-GUID",
"principalId": "AD-USER-OBJECT-ID"
}
}
Please help me to assign a role for that user at any particular container (not all) level under the storage account, as well, so that he/she can read/write any blob inside that container.
Thank you!
In Postman it returns status Code 201 and number of role assignment is shown increased by 1 in azure portal, but the user can not see any blob inside that Container.
Please help or let me know if you need any more info.
According to my understanding, you want to use Azure AD Auth to access Azure blob storage. You need to assign Azure RABC role(such as Storage Blob Data Reader) to the user. For more details, please refer to https://learn.microsoft.com/da-dk/azure/storage/common/storage-auth-aad
Regarding how to assign tole to one user with rest api, please refer to the following steps
Register Azure AD application
Configure API permissions
Call the rest api in the postman
a. get access token
b. get role name and role id
GET https://management.azure.com/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq '<the role your need such as Storage Blob Data Contributor>'&api-version=2018-01-01-preview Header: Authorization: Bearer <token>
c. assign role
PUT https://management.azure.com/<your scope> /providers/Microsoft.Authorization/roleAssignments/<role name>?api-version=2018-01-01-preview Header: Authorization: Bearer <token> Content-Type: application/json Body { "properties": { "roleDefinitionId": "<role id>", "principalId": "<The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.>" }}Please note that the container scope should be like
subscriptions/<subscription id>/resourceGroups/<group name>/providers/Microsoft.Storage/storageAccounts/<account name>/blobServices/default/containers/<container name>
Check with Storage Explorer. For more details, please refer to the document a. Select the Connect symbol to open Connect to Azure Storage.
b. If you haven't already done so, use the Add an Azure Account option to sign in to the Azure account that has access to the resource. After you sign in, return to Connect to Azure Storage.
c. Select Add a resource via Azure Active Directory (Azure AD), and then select Next.
d. Select an Azure account and tenant. These values must have access to the Storage resource you want to attach to. Select Next.
e. Choose the resource type you want to attach. Enter the information needed to connect.
The information you enter on this page depends on what type of resource you're adding. Make sure to choose the correct type of resource. After you've entered the required information, select Next.
f. Review the Connection Summary to make sure all the information is correct. If it is, select Connect. Otherwise, select Back to return to the previous pages to fix any incorrect information.
- Exclude user's password from query with Prisma 2
- How to configure JSON deserialization options in .NET minimal API project
- How to send multiple files in postman ReSTful web service?
- Rest Spring boot converts a response with duplicate object to id of that object
- Post with REST API on Wordpress.com [Error 401, not allowed]
- How to update array using PUT API request in Strapi
- Using REST API in Python to run Workflows in Azure Purview
- Conversion API Purchase Event does't work
- Unable to Set ShipFrom when using ConfirmShipment in the Amazon Orders SP-API
- Should PUT and DELETE be used in forms?
- Workday: is there an API or other programmatic way to download the output files from an integration event?
- How to find Bitbucket Account UUID?
- Why is django-ninja PUT endpoint not using value from request body but instead is returning the default value for field to be updated (ModelSchema)?
- CORS with spring-boot and angularjs not working
- Restful FedEx Trade Document Upload API - Can't upload signature or letterhead images
- Which datatype to use at JPA entity to store and retrieve date using java 8
- Is it possible to update an existing Zimbra ZCS contact using the REST API?
- What's the difference between REST & RESTful
- VAT Checker Apps Script
- Meteor server api using iron router returns HTML not the response
- How to return global object from a Rocket REST API?
- How to map this Json with rest template spring boot
- Office 365 REST API - Creating a Contact gives me HTTPCode 400
- Guidance for writing a wrapper for a REST API
- PayPal REST API: Search by BUYER Transaction ID
- Django rest framework where to write complex logic in serializer.py or views.py?
- REST and spring-mvc
- Cookie in Thunder Client VS Code extension
- How to write a generic handler in Go?
- How to make a script to automate taking the GET data from my wordpress site and POST to another server