I am trying to give an AD user an IAM access (Storage Blob Data Reader) to a Container by REST Api call.
My storage structure is like:- Subscription >> ResourceGroup >> Resource(i.e. a storage account) >>
Many Containers >> Some blobs under each container
Am able to provide Reader access for an user (who is in my Active Directory) to the StorageAccount Level through REST call using :-
https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/providers/Microsoft.Authorization/roleAssignments/ANY-UNIQUE-GUID?api-version=2015-07-01
HEADER:
[{"key":"Content-Type","value":"application/json"}]
[{"key":"Authorization","value":"Bearer Token"}]
BODY:
{
"properties": {
"roleDefinitionId": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.Storage/storageAccounts/STORAGE-ACCOUNT-NAME/providers/Microsoft.Authorization/roleDefinitions/READER-ACCESS-GUID",
"principalId": "AD-USER-OBJECT-ID"
}
}
Please help me to assign a role for that user at any particular container (not all) level under the storage account, as well, so that he/she can read/write any blob inside that container.
Thank you!
In Postman it returns status Code 201 and number of role assignment is shown increased by 1 in azure portal, but the user can not see any blob inside that Container.
Please help or let me know if you need any more info.
According to my understanding, you want to use Azure AD Auth to access Azure blob storage. You need to assign Azure RABC role(such as Storage Blob Data Reader) to the user. For more details, please refer to https://learn.microsoft.com/da-dk/azure/storage/common/storage-auth-aad
Regarding how to assign tole to one user with rest api, please refer to the following steps
Register Azure AD application
Call the rest api in the postman
b. get role name and role id
GET https://management.azure.com/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq '<the role your need such as Storage Blob Data Contributor>'&api-version=2018-01-01-preview
Header:
Authorization: Bearer <token>
c. assign role
PUT https://management.azure.com/<your scope> /providers/Microsoft.Authorization/roleAssignments/<role name>?api-version=2018-01-01-preview
Header:
Authorization: Bearer <token>
Content-Type: application/json
Body
{ "properties": {
"roleDefinitionId": "<role id>",
"principalId": "<The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.>"
}}
Please note that the container scope should be like subscriptions/<subscription id>/resourceGroups/<group name>/providers/Microsoft.Storage/storageAccounts/<account name>/blobServices/default/containers/<container name>
Check with Storage Explorer. For more details, please refer to the document a. Select the Connect symbol to open Connect to Azure Storage.
b. If you haven't already done so, use the Add an Azure Account option to sign in to the Azure account that has access to the resource. After you sign in, return to Connect to Azure Storage.
c. Select Add a resource via Azure Active Directory (Azure AD), and then select Next.
d. Select an Azure account and tenant. These values must have access to the Storage resource you want to attach to. Select Next.
e. Choose the resource type you want to attach. Enter the information needed to connect.
The information you enter on this page depends on what type of resource you're adding. Make sure to choose the correct type of resource. After you've entered the required information, select Next.
f. Review the Connection Summary to make sure all the information is correct. If it is, select Connect. Otherwise, select Back to return to the previous pages to fix any incorrect information.