List blobs and containers based on assigned RBAC

Question

Application built using Spring Boot 2.5.x... using latest Azure Java SDK (Azure BOM 3.9.0).

Using Spring Security and Azure Active Directory Spring Boot starter for authN/authZ... all that works... AZ security groups and App registration app roles are getting mapped correctly in spring security as granted authorities etc.

Storage blob containers have group RBAC assigned.

We have a requirement whereby we'd like to list containers for which a AD user has been granted write access (contributor role) as well as virtual folders under containers (blob prefixes) using ABAC.

All users have read, but only certain users can update blobs in some containers and/or blob folders (eg. container/admin)

Using Azure blob storage SDK to list containers and blobs, but not seeing anything in the implementation to filter by RBAC.

Some implementation details I've thought of:

• blob/container index tags; tag "Admin" related blobs and using tag filters on list. Drawback is blob tags need to be managed

• blob/container metadata; similar to tags, but not indexed; unsure if supported directly through the SDK

• filtering stream collection returned from SDK call using either tags or metadata

Thoughts or ideas appreciated!

Answer 1

You probably need to use the management SDK.

var roles = azure.accessManagement().roleAssignments()
    .listByServicePrincipal(objectId)

Or you can get the roles by resource scope (the ID of the storage account).

However the service api-version used in 2.10.0 is a bit old, that it does not show conditions in role assignment (for the ABAC), so you won't see the finer condition below the storage account.

---

Getting the objectId for the user / service principal likely require certain Read User permission in AAD. You can get them e.g. via CLI, if you do not already have them.

>az ad user list --display-name foo