none
What are minimal IAM permissions to use a blob container with an MSI?

    Întrebare

  • I'm trying to create IAM roles that only have permissions to read a container and read/write/delete blobs.

    I have the following VMSS set up with MSI:

    → az vmss identity show --resource-group michael-discuss --name discuss
    {
      "identityIds": null,
      "principalId": "xxxx-xxxx-xxxx-xxxx-xxxx",
      "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxx",
      "type": "SystemAssigned"
    }

    The assigned roles for that MSI are:

    → az role assignment list --all --assignee xxxxxx-xxxx-xxxx-xxxx-xxxx
    [
      {
        "additionalProperties": {},
        "canDelegate": null,
        "id": "/subscriptions/xxxx-xxxx-xxxx-xxx-xxxx/resourceGroups/michael-discuss/providers/Microsoft.Storage/storageAccounts/michaeldiscuss/providers/Microsoft.Authorization/roleAssignments/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
        "name": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
        "principalId": "xxxxxx-xxxx-xxxxx-xxxxx-xxxxxxxxx",
        "principalName": "xxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxx",
        "resourceGroup": "michael-discuss",
        "roleDefinitionId": "/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxx",
        "roleDefinitionName": "Blob Read - michael-discuss",
        "scope": "/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/michael-discuss/providers/Microsoft.Storage/storageAccounts/michaeldiscuss",
        "type": "Microsoft.Authorization/roleAssignments"
      },
      {
        "additionalProperties": {},
        "canDelegate": null,
        "id": "/subscriptions/xxxxx-xxxxx-xxxx-xxxxx-xxxx/resourceGroups/michael-discuss/providers/Microsoft.Storage/storageAccounts/michaeldiscuss/blobServices/default/containers/assets/providers/Microsoft.Authorization/roleAssignments/xxxxx-xxxx-xxxx-xxxx-xxxxx",
        "name": "xxxxx-xxxxx-xxxx-xxxx-xxxxxxxx",
        "principalId": "xxxxx-xxxx-xxxx-xxxx-xxxxx",
        "principalName": "xxxxx-xxxxx-xxxxx-xxxxx-xxxxxxx",
        "resourceGroup": "michael-discuss",
        "roleDefinitionId": "/subscriptions/xxxxx-xxxx-xxx-xxxx-xxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxx-xxxx-xxxx-xxxx-xxxxxx",
        "roleDefinitionName": "Storage Blob Data Contributor (Preview)",
        "scope": "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/michael-discuss/providers/Microsoft.Storage/storageAccounts/michaeldiscuss/blobServices/default/containers/assets",
        "type": "Microsoft.Authorization/roleAssignments"
      }
    ]

    The custom role I'm using above provides the permissions:

        "permissions": [
          {
            "actions": [
              "Microsoft.Storage/storageAccounts/blobServices/containers/read"
            ],
            "dataActions": [],
            "notActions": [],
            "notDataActions": []
          }
        ],

    Yet when I attempt to use a VM's MSI to read those containers, it can't see any resources:

    toor@app-discuss-000001:~$ az resource list
    []
    toor@app-discuss-000001:~$ az storage blob list --account-name michaeldiscuss --container-name assets | jq '.[].name'
    az storage blob list: error: Storage account 'michaeldiscuss' not found.

    The command from a full-permission account yields the expected output:

    → az storage blob list --account-name michaeldiscuss --container-name assets | jq '.[].name'
    "michael-head-192.png"

    What permissions am I missing to be able to accomplish my goal?




    vineri, 13 iulie 2018 18:54

Toate mesajele

  • Since, you have assigned “Storage Blob Data Contributor (Preview)”, where you don’t have enough permissions to retrieve info via Cloud Shell. In order to retrieve the info via Azure Cloud Shell, give “Storage Account Contributor” permission to Resource Group.

    joi, 19 iulie 2018 11:01
    Moderator