Authorize a user for azure blob access

Question

I am authenticating the users to my web page using the microsoft login via adal-node library.

adal-node has an AuthenticationContext from which we can get a JWT token using acquireTokenWithAuthorizationCode.

So, the users of my active directory app can now successfully login with their Microsoft accounts.

Now, the question is how to get their RBAC roles for a specific storageaccount/container/blob using the above received JWT Token? Is that even possible?

Or should I be using a library like azure-arm-authorization for this purpose? I have set the RBAC roles for each storageaccount/container/blob but I am not finding any online documentation on how to get these roles for every logged in user of my app.

Any help would be invaluable.

TL;DR How do I authorize azure blobs?

Answer 1

According to my research, if we want to use Azure AD Authentication to acess Azure blob storage, we need to assign Azure RABC role for Azure storage account or container. For more details, please refer to here. Besides, we can use Azure CLI to assign role and get role assignment.

For example

# assign role
az role assignment create \
    --role "Storage Blob Data Contributor" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"


# list role assignment of the resource
az role assignment list --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"

For further information, please read the article

---

Update1

If you want to use nodejs sdk to get the role assignment, please refer to the following code

const authorizationManagement = require('azure-arm-authorization');
const msrestAzure = require('ms-rest-azure');

const scope = '/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>';
const subscriptionId = 'e5b0fcfa-e859-43f3-8d84-5e5fe29f4c68';

msrestAzure.interactiveLogin().then(credentials => {
 const client = new authorizationManagement(credentials, subscriptionId);
 client.roleAssignments.listForScope(scope).then(result => {
    result.forEach(element => { 
       
        client.roleDefinitions.getById(element.roleDefinitionId).then(result => {
             console.log("principal ID: "+ element.principalId+"\nrole name: "+result.roleName)
        });
      }); 
 });
})

For more details, please refer to Get access control list (IAM) of a resource group in Node.js

---

Update2

According to my test, if you want to use azure-arm-authorization with adal-node. Please refer to the following code

const authorizationManagement = require('azure-arm-authorization');
const TokenCredentials = require('ms-rest').TokenCredentials
const adal = require('adal-node').AuthenticationContext;
const scope = '/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>';
const subscriptionId = 'e5b0fcfa-e859-43f3-8d84-5e5fe29f4c68';

// use service principal to get access token with adal-node
/*
  If you do not have a  service principal, you can use the following Azure CLI command(https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac) to create it 
    az ad sp create-for-rbac -n "MyApp" --role contributor 
    

*/ 
const tenant = 'your-tenant-id';
const authorityUrl = "https://login.microsoftonline.com/" + tenant;
const clientId = 'your-client-id';
const clientSecret = 'your-client-secret';
const resource = 'https://management.azure.com/';
const context = new adal(authorityUrl);
context.acquireTokenWithClientCredentials(
     resource,
     clientId,
     clientSecret,
     (err, tokenResponse) => {
          if (err) {
               console.log(`Token generation failed due to ${err}`);
          } else {

               const credentials = new TokenCredentials(tokenResponse.accessToken);

               const client = new authorizationManagement(credentials, subscriptionId);
               client.roleAssignments.listForScope(scope).then(result => {
                    result.forEach(element => {

                         client.roleDefinitions.getById(element.roleDefinitionId).then(result => {
                              console.log("principal ID: " + element.principalId + "\nrole name: " + result.roleName)
                         });
                    });
               });
          }
     }
);

Besides if you want to know how to use passport-azure-ad to get role assignment, you can use passport-azure-ad to get AD access token then call the Azure rest API. Regarding how to implement it, you can refer to the sample.