Leszek
Reputation: 501
Azure Data Lake gen2 (Data Lake Storage) Access Control on container level with Managed Identity
I try to script grant role to Azure Data Lake gen2. The is no issue with adding this for Service Account:
$storageAccount = Get-AzResource -Name $StorageAccountName -ResourceGroupName $ResourceGroupName
$datafactory = Get-AzDataFactoryV2 -Name $DataFactoryName -ResourceGroupName $ResourceGroupName
$contributorRoleDefinition = Get-AzRoleDefinition -Scope $storageAccount.ResourceId -Name 'Contributor'
$dataFactoryRole = Get-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
The issue is I want to grand permission on container level - not service account level. Above scrip generate on container level: Parent resource (inherited) but what is need is: This resource.
I can do it through portal, but is not valid solution for my case.
Upvotes: 0
Views: 148
Answers (1)
Jim Xu
Reputation: 23111
If you want to grand permission on container level, please refer to the following script
Connect-AzAccount
$container=Get-AzRmStorageContainer -Name $StorageAccountName -ResourceGroupName $ResourceGroupName -Name $containerName
$datafactory = Get-AzDataFactoryV2 -Name <> -ResourceGroupName <>
$role=Get-AzRoleDefinition -Name "Storage Blob Data Reader"
$dataFactoryRole = Get-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
if(!$dataFactoryRole)
{
New-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
Write-Host "Access to blob storage for data factory was granted"
}
else
{
Write-Host "Access to blob storage for data factory has already been granted"
}
Besides, please note that if you want to access Azure Blob with AD auth, you need to use these roles: Storage Blob Data Contributor, Storage Blob Data Reader and Storage Blob Data Owner. For more details, please refer to here and here
Upvotes: 1
Related Questions
- Azure Data Lake storage Gen2 permissions
- Azure datalake storage account
- rest operations Azure Datalake gen2
- Manage ADLSGen2 ACLs with Shared Key Access Disabled?
- Access to Azure Data Lake Container by using a link
- Azure Storage Account - Container level access and ACL
- Get specific user permissions on Azure Data Lake Gen2 (ACL)
- Azure Data Lake Storage Gen2 access token generation - "AADSTS65001: The user or administrator has not consented to use the application with ID
- Managed Service Identity configuration for Azure Data Lake Storage Gen2
- Powershell - Use Managed Service Identity to access Azure Data Lake Store