none
Create a VM to access log files in Azure Blob Storage RRS feed

  • Question

  • Hi, 

    I am trying to set up a VM that has only read only access to the log files that are saved in a storage account. In order to do this, I created a customized role called "Storage Blob Data Reader - Capable"

    And the VM was assigned this role at the Storage Account scope. 

    However, this VM is still capable of delete files on the storage account using the command below

    az storage blob delete --account-name abs0execution  --container-name sparkjobs  --name sparkjobs/path/to/the/log/file

    I log in as the managed identity of this VM: az login --identity

    What will be the right permission I should set for this kind of customized role??

    Thank you!

    Tuesday, August 13, 2019 5:52 PM

Answers

  • This is the reply from other support:

    >>>>>>

    yes, unfortunately ,generate –sas is not supported in the login mode due to the product limitation. This is because the SAS signature must be computed with a Storage key.

     

    Sorry for the inconvenience that has been caused.

    <<<<<<

    • Marked as answer by enjoyear Friday, August 30, 2019 1:23 AM
    Saturday, August 24, 2019 5:12 PM

All replies

  • Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. Kindly try the following steps to isolate the issue:  

    For now, you can test the identity based access using the Powershell or Azure CLI modules. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-script?toc=%2fazure%2fstorage%2fblobs%2ftoc.json and let me know the status

    However, you must also grant the user the Azure Resource Manager Reader role, so that they can navigate through the account resources to see/read only the blob data in the portal. See Use the Azure portal to access blob or queue data for details.

    You may also refer to the suggestion mentioned in this SO thread.

    Additional information: You can also use Shared Access Signature to grant permissions to Azure blob storage.

    To access the objects within the storage account with Azure AD authentication, you need to have one of the following roles assigned to the user:

    • Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
    • Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.

    Having an owner role doesn’t grant you the necessary permissions (unlike using keys to access the objects). You can read more details here: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad

    If the issue persists, please let us know we would like to work closer on this issue.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and "Upvote" on the post that helps you, this can be beneficial to other community members.

    Monday, August 19, 2019 3:38 AM
    Moderator
  • Hi Sumanth,

    Thank you very much for your reply, it helps a lot. But a new issue comes up after applying your suggestion. 

    With my original settings, I am able to generate the SAS token with scripts below in the "key" mode

    az storage blob generate-sas \
        --account-name abs0execution \
        --container-name sparkjobs \
        --permissions r --https-only \
        --expiry 2019-12-31T00:00:00Z \
        --name sparkjobs/f046414e-0248-4f1c-840d-feda35483e09/19_08_2019_19_28_11_009/log/YarnLogs/application_1566242657898_0004/stdout

    However, now it raises "self.account_key should not be None" exception after applying the login mode "--auth-mode login" (The role I am assigning to the VM is Storage Blob Data Reader)

    I expect this to work because this permission "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" is granted for the role Storage Blob Data Reader (https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-reader)

    It seems to me that "generate-sas" is not supported in the login mode. Is that correct?

    Thank you!

    Tuesday, August 20, 2019 12:09 AM
  • This is the reply from other support:

    >>>>>>

    yes, unfortunately ,generate –sas is not supported in the login mode due to the product limitation. This is because the SAS signature must be computed with a Storage key.

     

    Sorry for the inconvenience that has been caused.

    <<<<<<

    • Marked as answer by enjoyear Friday, August 30, 2019 1:23 AM
    Saturday, August 24, 2019 5:12 PM
  • Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    Are you referring to User delegation SAS (Preview) If am wrong please correct? 

    • With a user delegation key that was created using Azure Active Directory (Azure AD) credentials. A user delegation SAS is signed with the user delegation key.
    • To get the user delegation key and create the SAS, an Azure AD security principal must be assigned a role-based access control (RBAC) role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. For detailed information about RBAC roles with permissions to get the user delegation key, see Create a user delegation SAS (REST API).
    • With the storage account key. Both a service SAS and an account SAS are signed with the storage account key. To create a SAS that is signed with the account key, an application must have access to the account key.

    If the issue still persist, We would like to work closer on this issue:Could you please reach to me via AZCommunity[AT]microsoft.com with a link to this Issue as well as your subscription ID and we can help get a support ticket opened for this issue. Please mention "ATTN subm" in the subject field.

    Hope this helps! 

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and "Upvote" on the post that helps you, this can be beneficial to other community members.

    Thursday, August 29, 2019 2:21 PM
    Moderator
  • @enjoyear Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Wednesday, September 4, 2019 5:09 AM
    Moderator