Login/Register
Azure Storage restrict access one container only
Asked Answered
Solved azureazure-active-directoryazure-storageazure-blob-storage
A

2

9

This is my situation: Two groups in Azure AD. Group 1 can access only container1, but not container2 Group 2 can access only container2, but not container1

To achieve this I have given IAM Role Permission on each container accordingly (assigned Storage Blob Data Contributor Role to group).

Code Sample I used: https://github.com/Azure-Samples/storage-dotnet-azure-ad-msal

But to upload/download any file on container I have to assign role of Storage Blob Data Contributor on Storage Account as well. If I give Storage Blob Data Contributor on Storage Account then that Group users can add files to any container.

So is there any way to achieve like, Group 1 can access only container1, but not container2 Group 2 can access only container2, but not container1

Amass answered 7/12, 2020 at 15:54 Comment(1)
Why is it necessary to also assign the Storage Data Blob Reader to the Storage Account itself? I have tried to create a Blob Container and assigned a test user Storage Data Blob Reader to this container. In the blob container I have uploaded a test file. When I give the URL to this test file, the test user gets a Resource Not Found when trying to download the file in a browser.Beret
A
3

Denying group to a container is not supported yet. As given in the image taken from IAM blade: "At this time, the only way you can add your own deny assignments is by using Azure Blueprints." Denying access to users is quite a process. So it is best if you create two storage accounts and manage the access at storage account level instead of Container. This is not for group but for a single user in group. enter image description here

Amass answered 7/12, 2020 at 16:19 Comment(2)
Is it possible to only give access to one container by using a custom role?Bathometer
When will this rule kick in? How will you add access to storage account ?Amass
S
7

What you can do is assign 'Reader' access to the storage account, then 'Storage Blob Data Reader' for that same user/group, BUT provide a condition to only allow them access to containers of a specific name. In my example below I called the container "test-access-medata"

enter image description here

Stockdale answered 27/4, 2022 at 18:4 Comment(2)
I tried multiple ways of assigning container-only access and your approach is the only thing that worked for me. Thanks!Nuncia
I think this should be flagged as an answer to this question, thanks a lot!Oneidaoneil
A
3

Denying group to a container is not supported yet. As given in the image taken from IAM blade: "At this time, the only way you can add your own deny assignments is by using Azure Blueprints." Denying access to users is quite a process. So it is best if you create two storage accounts and manage the access at storage account level instead of Container. This is not for group but for a single user in group. enter image description here

Amass answered 7/12, 2020 at 16:19 Comment(2)
Is it possible to only give access to one container by using a custom role?Bathometer
When will this rule kick in? How will you add access to storage account ?Amass

© 2022 - 2024 — McMap. All rights reserved.