Reputation: 1639
Manage ADLSGen2 ACLs with Shared Key Access Disabled?
On ADLS Gen2 (Azure Blob Storage with HNS enabled), we assign access via Access Control Lists (ACL), see ADLS Gen2 access control models. However, if we disable "Storage account key access", we loose the ability to edit the ACLs with the error:
"Failed to update ACL for path (...). Error: This request is not authorized to perform this operation using this permission"
This is quite counter-intuitive, given that Microsoft discourages shared (account) keys, and encourages ACL.
In the Azure portal, one can toggle between using Authentication method: Azure AD User Account or Access key when browsing data. (The latter is not possible when we disable access keys.) But in ACL management, it is not possible to choose a similar Authentication Method, and I suspect that they only support access keys.
Is this a feature or a bug? How do we mange ACL with shared keys diasabled?
Upvotes: 1
Views: 371
Answers (1)
Reputation: 4081
You specifically need the 'Storage Blob Data Owner' role assigned and scoped so it applies to the relevant container. The 'Owner' role on it's own, for instance, does not work.
Upvotes: 1
Related Questions
- Azure ADLS Gen2 file created by Azure Databricks doesn't inherit ACL
- Azure Data Lake storage Gen2 permissions
- Lifecycle management rule not working for ADLS Gen2 Storage Account
- Azure Databricks with ADLS Gen 2 Secure Access
- Azure Data Lake gen2 (Data Lake Storage) Access Control on container level with Managed Identity
- Get specific user permissions on Azure Data Lake Gen2 (ACL)
- How can I backup the ACLs of an ADLS GEN1?
- ADF Access to ADLS Gen2 within VNet
- Azure ADLS Gen2 not available
- Faster way to grant access privileges to ADLS on HDInsight cluster provisioning?