locked
Programmatically assign/read user-identity to storage container RRS feed

  • Question

  • Hello, I've created some MSI (user assigned identity) and I'm able to assign it via the console by going to:

    Storage->(account)->blobs->(container) -> IAM -> select role, select UAI

    Visual of the result: https://imgur.com/a/KCE0gkN

    This works, but trying to do this via the CLI, I can't see what scope this is linked to.  I'm doing the same thing with Key Vaults, and Storage Accounts, but doing it on the container itself, in the console it works the same way, but over the CLI/API it's not working.

    I think that my "scope" is just not correct for the container, i.e. this works to show me the UAI's assigned to my vault:

    $ az role assignment list --scope /subscriptions/12345678-b895-4793-94f3-123412341234/resourceGroups/vault-resource-group/providers/Microsoft.KeyVault/vaults/myvault | head
    [   {     "canDelegate": null,

    But after assigning a UAI to the container, I can't track the proper scope to see it listed, which is the same issue I have trying to assign it:

    Instead of Microsoft.Storage/storageAccounts/mystorageaccount

    I assumed it would be: Microsoft.Storage/storageAccounts/mystorageaccount/mycontainer

    But this throws a weird error:

    $ az role assignment list --scope /subscriptions/12345678-b895-4793-94f3-123412341234/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount/mycontainer
    No registered resource provider found for location 'westus' and API version '2018-01-01-preview' for type 'storageAccounts'. The supported api-versions are '2018-07-01, 2018-03-01-preview, 2018-02-01, 2017-10-01, 2017-06-01, 2016-12-01, 2016-05-01,
     2016-01-01, 2015-06-15, 2015-05-01-preview'. The supported locations are 'eastus, eastus2, westus, westeurope, eastasia, southeastasia, japaneast, japanwest, northcentralus, southcentralus, centralus, northeurope, brazilsouth, australiaeast, australiasoutheast,
     southindia, centralindia, westindia, canadaeast, canadacentral, westus2, westcentralus, uksouth, ukwest, koreacentral, koreasouth, francecentral'.

    Does anyone know the proper scope address to the container ?

    THANKS




    • Edited by slikk66 Monday, October 8, 2018 10:16 PM add link
    Monday, October 8, 2018 10:04 PM

Answers

  • This is what I was looking for:

    "/subscriptions/{subscription-id}/resourceGroups/res9290/providers/Microsoft.Storage/storageAccounts/sto1590/blobServices/default/containers/container1644"

    • Marked as answer by slikk66 Tuesday, October 9, 2018 10:28 PM
    Tuesday, October 9, 2018 10:27 PM