Forum Discussion
Control access to blobs with blob index tags and custom security attributes in Azure AD!
Dear Azure Friends,
Imagine you want to control access to the blobs in an Azure Storage Account Blob Container using attributes. This is possible today with the combination of Blob Index Tags and Custom Security Attributes (a new preview feature) in Azure Active Directory.
I have created a storage account with the setting "Default to Azure Active Directory authorization in the Azure portal".
Before we get into the custom security attributes, let's first address the question of who can add index tags when uploading files to a blob container? The answer is that only the storage blob data owner can.
Now let's talk about the custom security attributes. First, a few prerequisites! To assign custom security attributes and add role assignments conditions in your Azure AD tenant, you need:
Azure AD Premium P1 or P2 license
Attribute Definition Administrator and Attribute Assignment Administrator
User Access Administrator or Owner
Note:
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. If you do not meet these prerequisites, you won't see the principal/user attributes in the condition builder.
As an example, I have assigned myself the Role Attribute Definition Administrator.
1. Add a new custom security attribute
To be able to assign the attributes to a user you need the Role Attribute Assignment Administrator. I have also assigned this to my account. In practice you would better use this role in a specific attribute set and not tenant wide (regarding security). In this example I keep it simple.
2. Assign the custom security attribute to a user
3. Create a security group in Azure Active Directory with the users in question
4. Assign Storage Blob Data Reader role with a condition (I configured this role on the storage account, but it can also be done directly on the container.)
Important, Data Plane is not equal to Management Plane. This means that access to the blobs does not equal access to the storage account. For this reason, we give the just created security group the Reader Role.
Now it's time for testing. I register with a Broweser as Jane Ford. We navigate directly to the storage account and the corresponding container. As a reminder, the Jane Ford has been configured with the attribute "Project Zodiac". Only the IT image has exactly the same Blob Index tag. This means that the Jane can only access this one image. The image Learn has no Blob Index Tag so Jane can't open this file and the file Me_Bike has the Blob Index Tag "Project Dedalus" configured so Jane can't open this file either.
Perfect, the access to the blobs exactly as desired, really great!
Important:
I first did this test with a storage account which was created in "West Europe". This did not work. With a storage account in "East US" it worked fine. I assume that it will soon work in the "West Europe" region as well.
I already realize that this wasn't super exciting, but I still wanted to share this experience with you. I hope this article was useful. Thank you for taking the time to read the article.
Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler