Is there a way to use System defined Identity to connect an asp.net core web Api to an azure storage account using managed Identity and RBAC

Question

I have read and followed the instructions here and here and used a user-defined identity to set it up. It was working until we had to remove the user-defined identity for policy reasons and now I keep getting Unauthorized locally and

ManagedIdentityCredential authentication failed: Service request failed. Status: 500 (Internal Server Error) When deployed to the server. According to the docs, it is supposed to work with role based authentication, but it currently doesn't. Does anyone have an idea how to fix this?

Here's the configuration code.

BlobContainerClient containerClient = new BlobContainerClient(new Uri(containerEndpoint), new DefaultAzureCredential());
await BlobContainerClient.CreateIfNotExistsAsync();

Answer 1

• The Account which you have logged in Visual Studio must have permission to read the blob.

• Navigate to the Storage Account => Access Control (IAM)

• Add a new role Storage Blob Data Reader with User, group, or service principal access and add the user.

For the Deployed App:

• You need to add a Role assignment with Managed Identity access.

• Add a new role Storage Blob Data Reader with Managed Identity Access and select your System-assigned managed Identity, Add the user.

• Your WebApp has to be registered in the Azure AD to get the System Managed Identity list as shown above.

• When you enable System assigned identity from App Service Identity section, it will prompt a message to add the app in AD.

You can even assign roles from Identity.