Reputation: 40299
Rich ACLs with Azure Storage - delegating to AD?
How do I build a rich storage ACL policy system with Azure storage?
I want to have a blob container that has the following users:
- public - read-only against some set of blobs
- Uploader - read-write against some subset of blob names, these keys are shared out to semi-trusted build machines
- shared admin - full capabilities against this blob subset
Ideally these users are accounts driven through Azure AD, so I can use the full directory service power with them... :)
My understanding of shared access keys is that they are (1) time-limited and (2) have to be created with hand-tooled code. My desire is that I can do something similar to AWS IAM policies on S3... :-)
Upvotes: 4
Views: 551
Answers (2)
Reputation: 61
Paul,
While Gaurav is correct in that Azure Storage does not have AD integration today, I wanted to point out a couple of things about shared access signatures from your post:
My understanding of shared access keys is that they are (1) time-limited and (2) have to be created with hand-tooled code
1) A sas token/uri does not need to have an expiry date on it (it's an optional field), so in that sense they are not time-limited and need not be regenerated unless you change the shared key with which you generated the token 2) You can use PS cmdlets to do this for e.g.: https://msdn.microsoft.com/en-us/library/dn806416.aspx. Some storage explorers also support creation of sas tokens/uris statically without you having to write code for it.
Upvotes: 3
Reputation: 136136
Thing like AWS IAM Policies for S3 does not exist for Azure Blob Storage today. Azure recently started a Role Based Access Control (RBAC) and is available for Azure Storage but it is limited to performing management activities only like creating storage accounts etc. It is yet not available for perform data management activities like uploading blobs etc.
You may want to look at Azure Rights Management Service (Azure RMS) and see if it is a right solution for your needs. If you search for Azure RMS Blob you will find one of the search results link to a PDF file which talks about securing blob storage with this service (the link directly downloads the PDF file and hence I could not include it here).
If you're looking for a 3rd party service to do this, do take a look at the "Team Edition" of Cloud Portam (a service I am building currently). We recently released the Team Edition. In short, Cloud Portam is a browser-based Azure Explorer and it supports managing Azure Storage, Search Service and DocumentDB accounts. The Team Edition makes use of your Azure AD for user authentication and you can grant permissions (None, Read-Only, Read-Write and Read-Write-Delete) on the Azure resources you manage through this application.
Upvotes: 3
Related Questions
- list ACL for storage
- What are the Azure IAM permissions for storage account lifecycle policy management to work?
- ADLS Gen2 --> ACL on a folder level
- Scope for Accessing Storage Account using Managed Identity
- Azure Storage Account - Container level access and ACL
- How to grant azure active directory B2C users permissions on storage account containers?
- can we provide access to blobs/containers/storage accounts using Azure active Directory?
- Implement RBAC for Azure Blob Storage using an account in different Tenant?
- Why is Azure Storage API permission not listed in azure portal?
- ACL access abilities for Azure Containers and Blobs