none
What are minimal IAM permissions to use a blob container with an MSI?

    Întrebare

  • I'm trying to create IAM roles that only have permissions to read a container and read/write/delete blobs.

    I have the following VMSS set up with MSI:

    → az vmss identity show --resource-group michael-discuss --name discuss
    {
      "identityIds": null,
      "principalId": "xxxx-xxxx-xxxx-xxxx-xxxx",
      "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxx",
      "type": "SystemAssigned"
    }

    The assigned roles for that MSI are:

    → az role assignment list --all --assignee xxxxxx-xxxx-xxxx-xxxx-xxxx
    [
      {
        "additionalProperties": {},
        "canDelegate": null,
        "id": "/subscriptions/xxxx-xxxx-xxxx-xxx-xxxx/resourceGroups/michael-discuss/providers/Microsoft.Storage/storageAccounts/michaeldiscuss/providers/Microsoft.Authorization/roleAssignments/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
        "name": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
        "principalId": "xxxxxx-xxxx-xxxxx-xxxxx-xxxxxxxxx",
        "principalName": "xxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxx",
        "resourceGroup": "michael-discuss",
        "roleDefinitionId": "/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxx",
        "roleDefinitionName": "Blob Read - michael-discuss",
        "scope": "/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/michael-discuss/providers/Microsoft.Storage/storageAccounts/michaeldiscuss",
        "type": "Microsoft.Authorization/roleAssignments"
      },
      {
        "additionalProperties": {},
        "canDelegate": null,
        "id": "/subscriptions/xxxxx-xxxxx-xxxx-xxxxx-xxxx/resourceGroups/michael-discuss/providers/Microsoft.Storage/storageAccounts/michaeldiscuss/blobServices/default/containers/assets/providers/Microsoft.Authorization/roleAssignments/xxxxx-xxxx-xxxx-xxxx-xxxxx",
        "name": "xxxxx-xxxxx-xxxx-xxxx-xxxxxxxx",
        "principalId": "xxxxx-xxxx-xxxx-xxxx-xxxxx",
        "principalName": "xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxx",
        "resourceGroup": "michael-discuss",
        "roleDefinitionId": "/subscriptions/xxxxx-xxxx-xxx-xxxx-xxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxx-xxxx-xxxx-xxxx-xxxxxx",
        "roleDefinitionName": "Storage Blob Data Contributor (Preview)",
        "scope": "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/michael-discuss/providers/Microsoft.Storage/storageAccounts/michaeldiscuss/blobServices/default/containers/assets",
        "type": "Microsoft.Authorization/roleAssignments"
      }
    ]

    The custom role I'm using above provides the permissions:

        "permissions": [
          {
            "actions": [
              "Microsoft.Storage/storageAccounts/blobServices/containers/read"
            ],
            "dataActions": [],
            "notActions": [],
            "notDataActions": []
          }
        ],

    Yet when I attempt to use a VM's MSI to read those containers, it can't see any resources:

    toor@app-discuss-000001:~$ az resource list
    []
    toor@app-discuss-000001:~$ az storage blob list --account-name michaeldiscuss --container-name assets | jq '.[].name'
    az storage blob list: error: Storage account 'michaeldiscuss' not found.

    The command from a full-permission account yields the expected output:

    → az storage blob list --account-name michaeldiscuss --container-name assets | jq '.[].name'
    "michael-head-192.png"

    What permissions am I missing to be able to accomplish my goal?




    vineri, 13 iulie 2018 18:54

Toate mesajele

  • Since, you have assigned “Storage Blob Data Contributor (Preview)”, where you don’t have enough permissions to retrieve info via Cloud Shell. In order to retrieve the info via Azure Cloud Shell, give “Storage Account Contributor” permission to Resource Group.

    joi, 19 iulie 2018 11:01
    Moderator
  • Just Checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same. And, if you have any further query do let us know.

    sâmbătă, 21 iulie 2018 11:14
    Moderator
  • This is also not working:

    

    Though even if it did, it would be way more permission than necessary. Again, I'm looking for minimal required permissions.

    michael@app-discuss-36276cc9d922.xxxx-dev-michael: ~ $ az resource list
    []
    michael@app-discuss-36276cc9d922.xxxx-dev-michael: ~ $ az storage blob list --account-name xxxxdevmichaeldiscuss --container-name assets
    az storage blob list: error: Storage account 'xxxxdevmichaeldiscuss' not found.
    


    luni, 23 iulie 2018 15:54
  • Seems like:

          "Microsoft.Storage/storageAccounts/read",
          "Microsoft.Storage/storageAccounts/blobServices/containers/read",

    are appropriate permissions on the storage account, plus Storage Blob Data Contributor (Preview) (or something more specific) on the blob container itself.

    But it doesn't *always* work. I guess Azure takes a long time to update permissons? Should this take minutes or hours to replicate? These are three consecutive requests:

    michael@app-discuss-36276cc9d922.xxxx-dev-michael: ~ $ az storage blob list --account-name xxxxdevmichaeldiscuss --container-name assets
    [
      {
        "content": null,
        "deleted": false,
        "metadata": null,
        "name": "michael-head-192.png",
    …
    
    michael@app-discuss-36276cc9d922.xxxx-dev-michael: ~ $ az storage blob list --account-name xxxxdevmichaeldiscuss --container-name assets
    az storage blob list: error: Storage account 'msftdevmichaeldiscuss' not found.
    
    michael@app-discuss-36276cc9d922.xxxx-dev-michael: ~ $ az storage blob list --account-name xxxxdevmichaeldiscuss --container-name assets
    az storage blob list: error: Azure Error: AuthorizationFailed
    Message: The client 'e5457c0974a6' with object id 'e5457c0974a6' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/xxxx/resourceGroups/xxxx-dev-michael-discuss/providers/Microsoft.Storage/storageAccounts/xxxxdevmichaeldiscuss'.

    EDIT: re that last error (which now seems to be consistent)

    https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-roles-permissions-security

    This sounds terrifying:

    Warning

    The ListKeys permission enables the user to list the primary and secondary storage account keys. These keys grant the user all signed permissions (read, write, create blobs, delete blobs, etc.) across all signed services (blob, queue, table, file) in that storage account. We recommend using an Account SAS described above when possible.

    luni, 23 iulie 2018 16:22