How to control access to identity-specific folders in Azure Blob Storage using ABAC
An example use case:
I have an Azure Blob Container named "my-org-documents"; a specific folder should be shared across all the identities. However, each identity can only write into their subfolders.
I will use the below identities as example:
[email protected] (AD user)
ExampleMI12 (managed identity)
I have created a path called test, managedidentity and sharedfolder under the container, so the structure is as below:
my-org-documents/test
my-org-documents/managedidentity
my-org-documents/sharedfolder
My task is completed when:
- Active Directory user "test" is able to read/write into sharedfolder
- Active Directory user "test" is able to read/write into test folder but not into managedidentity folder.
- Managed Identity "ExampleMI12" is able to read/write into sharedfolder
- Managed Identity "ExampleMI12" is able to read/write into "ExampleMI12" folder but not into test folder.
Scoping the role assignment:
In such scenario, you can achieve the target by assigning "Storage Blob Data Contributor" to the required identity while applying ABAC conditions to add more control over folder access.
Configuring the user permissions:
- Assigning "Storage Data Contributor role" to user "test" on the storage account level.
-Then, in the conditions tab, I will add the below policy:
The above ABAC policy will only allow read/write access to "test" and "sharedfolder" paths, while it will deny access to all the other folders inside the "my-org-document" container or any other container inside the storage account.
Configuring the managed identity permissions:
- Assigning "Storage Data Contributor role" to managed identity "ExampleMI12" on the storage account level.
- Then, in the conditions tab, I will add the below policy:
Conclusion:
In this scenario, I was able to control folder level access for AD identities by assigning a role to each identity while adding specific ABAC conditions that will add more granularity over the wide role access.
Note: For ADLS endpoint, the ABAC policy should be modified to remove the ending slash from the blob path. Similar to the below example:
Note:
Please add "microsoft.storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action" action on all conditions if:
1- The role definition contains this action, such as "Storage blob data owner"
2- The storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.
Published on:
Learn moreRelated posts
Azure VMware Solution - Using Log Analytics With NSX-T Firewall Logs
Azure VMware Solution How To Series: Monitoring Azure VMware Solution Overview Requirements Lab Environment Tagging & Groups Kusto ...
Troubleshoot your apps faster with App Service using Microsoft Copilot for Azure | Azure Friday
This video provides you with a comprehensive overview of how to troubleshoot your apps faster with App Service utilizing Microsoft Copilot for...
Looking to optimize and manage your cloud resources? Join our Azure optimization skills challenge!
If you're looking for an effective way to optimize and manage your cloud resources, then join the Azure Optimization Cloud Skills Challenge or...
Have a safe coffee chat with your documentation using Azure AI Services | JavaScript Day 2024
In the Azure Developers JavaScript Day 2024, Maya Shavin a Senior Software Engineer at Microsoft, presented a session c...
Azure Cosmos DB Keyboard Shortcuts for Faster Workflows | Data Explorer
Azure Cosmos DB Data Explorer just got a whole lot easier to work with thanks to its new keyboard shortcuts. This update was designed to make ...
How to Use Azure Virtual Network Manager's UDR Management Feature
What will you learn in this blog? What is Azure Virtual Network Manager’s UDR management feature? How UDR management simplifies route setting...
Secure & Reliable Canonical Workloads on Azure | GA Availability
With Azure's partnership with Canonical, the industry standard for patching Linux distributions on the cloud is elevated. The collaboration hi...
Azure VMware Solution now available in Italy North, Switzerland North and UAE North
Azure VMware Solution continues to expand its reach, as it is now accessible in Italy North, Switzerland North, and UAE North. With this expan...
Connecting Azure to Mainframes with Low Latency
Many organizations are running their mission critical workloads on the mainframe and would greatly benefit by incorporating the mainframe in t...