%3CLINGO-SUB%20id%3D%22lingo-sub-773932%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20make%20REST%20API%20call%20for%20ADLS%20Gen2%20storage%20via%20a%20Service%20Principal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-773932%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20helpful.%3C%2FP%3E%3CP%3Enice%20description%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-773689%22%20slang%3D%22en-US%22%3EHow%20to%20make%20REST%20API%20call%20for%20ADLS%20Gen2%20storage%20via%20a%20Service%20Principal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-773689%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20'Helvetica'%2Csans-serif%3B%20color%3A%20%23333333%3B%20background%3A%20white%3B%22%3EUse%20case%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAccessing%20the%20ADLS%20Gen%202%20Storage%20account%20using%20service%20principal%20having%20OAuth%20RBAC%20roles%20or%20ACL%20permissions%20via%20REST%20API.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPre-requisites%20for%20Azure%20AD%20OAuth%20RBAC%20role%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E1.%20For%20calling%20the%20REST%20API%20with%20a%20service%20principal%20having%20OAuth%20RBAC%20role%20permission%20on%20the%20ADLS%20Gen2%20storage%2C%20you%20need%20to%20generate%20a%20bearer%20token%20using%20the%20tenant%2C%20client%20id%20and%20client%20secret.%20For%20more%20details%20on%20generating%20bearer%20token%20refer%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fazure%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20everything%20that%E2%80%99s%20being%20discussed%20in%20the%20above%20article%20remains%20same%20while%20generating%20the%20bearer%20token%2C%20following%20are%20the%20changes%20that%20needs%20to%20be%20done%20while%20generating%20bearer%20token%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20resource%20Id%20is%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fstorage.azure.com%252F%26amp%3Bdata%3D02%257C01%257CBraja.Das%2540microsoft.com%257C9132feb19917405c65ee08d691b021d5%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636856583028448862%26amp%3Bsdata%3DU6%252FPe1ry6ZdMZzfK%252F6lENCJE53Jp2BHHL9%252FxQQ6X82M%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fstorage.azure.com%2F%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EGrant%20your%20registered%20app%2Fservice%20principal%20permissions%20to%20Azure%20Storage%20as%20mentioned%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-auth-aad-app%23grant-your-registered-app-permissions-to-azure-storage%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Assign%20the%20service%20principal%20with%20the%20right%20permission%20at%20the%20storage%20account%20level%20i.e.%20for%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-security-guide%23management-plane-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emanagement%20plane%3C%2FA%3E%20access%20and%20for%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-security-guide%23data-plane-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edata%20plane%3C%2FA%3E%20access.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%3A%20For%20the%20read-only%20access%20at%20the%20storage%20account%20and%20read%2C%20write%2C%20delete%20access%20for%20the%20data%2C%20you%20can%20assign%20a%20management%20role%20%E2%80%9C%3CSTRONG%3EReader%E2%80%9D%3C%2FSTRONG%3Eat%20the%20storage%20account%20level%20and%20a%20data%20role%20%E2%80%9C%3CSTRONG%3EStorage%20Blob%20Data%20Contributor%3C%2FSTRONG%3E%E2%80%9D%20either%20at%20the%20storage%20account%20level%20or%20filesystem%20level.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERBAC%20role%20demo%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20followed%20the%20above%20steps%2C%20you%20can%20make%20the%20REST%20API%20with%20the%20following%20headers%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Ex-ms-version%3A%20This%20is%20optional%20when%20you%20use%20Bearer%20token%20authorization%3C%2FLI%3E%0A%3CLI%3EAuthorization%3A%20This%20is%20required%20and%20should%20have%20a%20valid%20bearer%20token%20that%20you%20prepend%20with%20%E2%80%98Bearer%E2%80%99%20separated%20by%20a%20space%20as%20shown%20in%20the%20below%20screenshot.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESample%20REST%20API%20call%20to%20list%20the%20filesystems%20of%20an%20ADLS%20Gen2%20storage%20account%20using%20the%20RBAC%20permissions%20of%20Service%20principal%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RBACDemo-border.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124505iC5583400D6DC35EC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22RBACDemo-border.png%22%20alt%3D%22RBACDemo-border.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPre-requisites%20for%20configuring%20ACLs%20for%20ADLS%20Gen2%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20provide%20the%20ACLs%20to%20filesystems%2C%20directories%20and%20files%2C%20but%20you%20need%20to%20make%20sure%20the%20user%2Fservice%20principal%20has%20at%20least%20Execute(X)%20permission%20at%20the%20filesystem%20level%20and%20on%20all%20the%20child%20directories.%20More%20details%20on%20the%20ACL%20on%20ADLS%20Gen%202%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fro-ro%2Fazure%2Fstorage%2Fblobs%2Fdata-lake-storage-access-control%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20case%2C%20you%20don%E2%80%99t%20need%20a%20%E2%80%98Reader%E2%80%99%20permission%20on%20the%20storage%20account%20to%20do%20data%20operation%20on%20the%20filesystems%20and%20directories.%20However%20if%20the%20user%20wants%20to%20access%20the%20data%20via%20a%20client%2C%20Install%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-in%2Ffeatures%2Fstorage-explorer%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EStorage%20Explorer%3C%2FA%3E%20and%20ensure%20that%20you%20have%20provided%20the%20%E2%80%98Reader%E2%80%99%20permissions%20to%20the%20user%20on%20the%20storage%20account%20level%20to%20list%20the%20filesystems.%3C%2FP%3E%0A%3CP%3EYou%20can%20assign%20the%20ACL%20permissions%20for%20ADLS%20Gen%202%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fstorageservices%2Fdatalakestoragegen2%2Fpath%2Fupdate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EREST%20API%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fblobs%2Fdata-lake-storage-how-to-set-permissions-storage-explorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Estorage%20explorer.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CU%3ENote%3C%2FU%3E%3C%2FEM%3E%3A%20If%20RBAC%20and%20ACLs%20are%20assigned%20to%20the%20same%20user.%20RBAC%20will%20take%20the%20precedence%20over%20ACL%20and%20the%20ACL%20check%20is%20not%20performed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EACL%20demo%20for%20ADLS%20Gen%202%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EConsider%20the%20below%20scenario%20where%20the%20service%20principal%20needs%20just%20a%20Read%20ONLY%20access%20on%20the%20file%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFilesystem%20(%3CSTRONG%3Ethirdone%3C%2FSTRONG%3E)%20has%20Execute%20(X)%20permissions%20for%20the%20Service%20principal%3C%2FLI%3E%0A%3CLI%3EDirectory%20(%3CSTRONG%3EFed)%20%3C%2FSTRONG%3Ehas%20Execute(X)%20permissions%3C%2FLI%3E%0A%3CLI%3EFile%3A%20%3CSTRONG%3E123.txt%20%3C%2FSTRONG%3Ehas%20Read(R)%20and%20Execute(X)%20permission%20on%20the%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EYou%20can%20make%20the%20REST%20API%20with%20the%20following%20headers%2C%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Ex-ms-version%3A%20This%20is%20optional%20when%20you%20use%20Bearer%20token%20authorization%3C%2FLI%3E%0A%3CLI%3EAuthorization%3A%20This%20is%20required%20and%20should%20have%20a%20valid%20bearer%20token%20that%20you%20prepend%20with%20%E2%80%98Bearer%E2%80%99%20separated%20by%20a%20space%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ESample%20REST%20API%20call%20for%20reading%20the%20file%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ACLDemo-border.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124506iE1387862A9535020%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22ACLDemo-border.png%22%20alt%3D%22ACLDemo-border.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-773689%22%20slang%3D%22en-US%22%3E%3CP%3EAccessing%20the%20ADLS%20Gen%202%20Storage%20account%20using%20service%20principal%20having%20OAuth%20RBAC%20roles%20or%20ACL%20permissions%20via%20REST%20API.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-773689%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EADLS%20Gen2%20storage%20rest%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EREST%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERest%20API%20using%20service%20principal%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Use case:

Accessing the ADLS Gen 2 Storage account using service principal having OAuth RBAC roles or ACL permissions via REST API.

 

Pre-requisites for Azure AD OAuth RBAC role:

1. For calling the REST API with a service principal having OAuth RBAC role permission on the ADLS Gen2 storage, you need to generate a bearer token using the tenant, client id and client secret. For more details on generating bearer token refer this article

 

While everything that’s being discussed in the above article remains same while generating the bearer token, following are the changes that needs to be done while generating bearer token:

 

2. Assign the service principal with the right permission at the storage account level i.e. for management plane access and for data plane access.

 

Example: For the read-only access at the storage account and read, write, delete access for the data, you can assign a management role “Reader” at the storage account level and a data role “Storage Blob Data Contributor” either at the storage account level or filesystem level.

 

RBAC role demo:

Once you have followed the above steps, you can make the REST API with the following headers:

  • x-ms-version: This is optional when you use Bearer token authorization
  • Authorization: This is required and should have a valid bearer token that you prepend with ‘Bearer’ separated by a space as shown in the below screenshot.

 

Sample REST API call to list the filesystems of an ADLS Gen2 storage account using the RBAC permissions of Service principal:

RBACDemo-border.png

 

Pre-requisites for configuring ACLs for ADLS Gen2:

You can provide the ACLs to filesystems, directories and files, but you need to make sure the user/service principal has at least Execute(X) permission at the filesystem level and on all the child directories. More details on the ACL on ADLS Gen 2 can be found here.

 

In this case, you don’t need a ‘Reader’ permission on the storage account to do data operation on the filesystems and directories. However if the user wants to access the data via a client, Install Storage Explorer and ensure that you have provided the ‘Reader’ permissions to the user on the storage account level to list the filesystems.

You can assign the ACL permissions for ADLS Gen 2 using the REST API and storage explorer.

 

Note: If RBAC and ACLs are assigned to the same user. RBAC will take the precedence over ACL and the ACL check is not performed.

 

ACL demo for ADLS Gen 2:

Consider the below scenario where the service principal needs just a Read ONLY access on the file:

  • Filesystem (thirdone) has Execute (X) permissions for the Service principal
  • Directory (Fed) has Execute(X) permissions
  • File: 123.txt has Read(R) and Execute(X) permission on the

You can make the REST API with the following headers,

  • x-ms-version: This is optional when you use Bearer token authorization
  • Authorization: This is required and should have a valid bearer token that you prepend with ‘Bearer’ separated by a space

Sample REST API call for reading the file:

ACLDemo-border.png

1 Comment
Occasional Visitor

Very helpful.

nice description