use Service Principal when reading azure blob

Question

i followed the tutorial (below *) and now have a Service Principal . How can i use this Service Principal when reading a blob using Get-AzureStorageBlob ? Get-AzureStorageBlob requires a New-AzureStorageContext , can i use the SP instead of the StorageAccountKey guid? Thanks,Peter

• https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/

Answer 1

Recently, Azure has added an option to Manage access rights to Azure Storage data with RBAC. You need to add one of the built-in RBAC roles scoped to the storage account to your service principal.

• Storage Blob Data Contributor (Preview)
• Storage Blob Data Reader (Preview)

Then, if you want to use the AzureCLI to access the Blob Storage with a Service Principal

1. Log in with a service principal

   $ az login --service-principal --tenant contoso.onmicrosoft.com -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret \
   

2. Enable the preview extension

   $ az extension add -n storage-preview
   

3. Use --auth-mode parameter with your AzureCLI command

   $ az storage blob download --account-name storagesamples --container sample-container --name myblob.txt --file myfile.txt --auth-mode login
   

For more information please see:

Manage access rights to Azure Storage data with RBAC (Preview)

Use an Azure AD identity to access Azure Storage with CLI or PowerShell (Preview)

Answer 2

if your SPN has only reader role, you cannot access the storage w/o SAS or account key. You can asign the SPN to contributor role and create SAS for other normal users. then switch to other normal user to access the storage with SAS.

Answer 3

As far as I know, you cannot use a SPN for accessing items in blob storage. You will need to use the access keys or SAS tokens.