CODEWITHSUNDEEP
azureazure-active-directoryazure-storage
techno
techno

Reputation: 6500

Scope for Accessing Storage Account using Managed Identity

I'm using managed identity to access azure database in this manner.The Azure App Registration is used for getting the token and the token is passed to the connection.In the same manner,how do i connect to a storage account and write to a container? What will be the scope in this case?

            AuthenticationResult authenticationResult = null;
            var _app = ConfidentialClientApplicationBuilder.Create(Environment.GetEnvironmentVariable("ClientId"))
                  .WithAuthority(string.Format(Environment.GetEnvironmentVariable("AADInstance"), Environment.GetEnvironmentVariable("Tenant")))
                  .WithClientSecret(Environment.GetEnvironmentVariable("ClientSecret")).Build();

            authenticationResult =  _app.AcquireTokenForClient(new string[] { "https://database.windows.net/.default" }).ExecuteAsync().Result;           
            using (SqlConnection conn = new SqlConnection(Environment.GetEnvironmentVariable("DBConnection")))
            {
                conn.AccessToken = authenticationResult.AccessToken;
                conn.Open();

                using (SqlCommand cmd = new SqlCommand("SELECT * FROM mytable", conn))
                {
                    var result = cmd.ExecuteScalar();
                    Console.WriteLine(result);
                }
            }

Upvotes: 1

Views: 4685

Answers (2)

juunas
juunas

Reputation: 58743

Azure Storage uses this scope:

https://storage.azure.com/.default

That said, with the new Azure Storage SDK and Azure.Identity, you don't actually need to know this. You can use them like this:

var credential = new ClientSecretCredential(tenantId: "", clientId: "", clientSecret: "");

var blobUrl = "https://accountname.blob.core.windows.net";
var service = new BlobServiceClient(new Uri(blobUrl), credential);

var container = service.GetBlobContainerClient("container");
var blob = container.GetBlobClient("file.txt");
// TODO: Write the file

Upvotes: 2

Gaurav Mantri
Gaurav Mantri

Reputation: 136196

For Azure Storage, the scope will be https://storage.azure.com/.default.

Please see this link for more details: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet#azure-storage-resource-id.

Upvotes: 1

Related Questions