Use ABAC in RBAC roles in Azure Storage to perform upload/download blobs & restrict delete blobs
Published Mar 31 2023 07:05 AM 4,740 Views
Microsoft

Disclaimer: Please test this solution before implementing it for your critical data.

 

Scenario:

This article explains step by step procedures to accomplish the requirements in Azure Storage using built in RBAC roles:

  1. Read/Download and write/upload operation for containers and blobs should be allowed for the users.
  2. Delete operations should be restricted.

 

Pre-Requisites:

  1. Azure Storage GPV2 / ADLS Gen 2 Storage account
  2. Make sure to have enough permissions(Microsoft.Authorization/roleAssignments/write permissions) to assign roles to users , such as Owner or User Access Administrator

Action:

You could follow the steps below to create a Storage Blob Data Contributor role with conditions using the Azure portal :

 

Step 1:

  • Sign-in to the Azure portal with your credentials.
  • Go to the storage account where you could like the role to be implemented/ scoped to.
  • Select Access Control (IAM)->Add-> Add role assignment:

     

    tech01.png

Step 2:

  • In Assignment type, select Job function roles and proceed to Role.

         tech02.png

  • On the Roles tab, select (or search for) Storage Blob Data Contributor and click Next.

animeshdas11_3-1680266792680.png

  • On the Members tab, select User, group, or service principal to assign the selected role to one or more Azure AD users, groups, or service principals.
  • Click Select members.

animeshdas11_4-1680266848325.png

  • Find and select the users, groups, or service principals.
  • You can type in the Select box to search the directory for display name or email address.
  • Please continue with Step 3 to configure conditions.

 

 

 

Step 3:

The Storage Blob Data Contributor provides access to read, write and delete blobs. However, we would need to add appropriate conditions to restrict the delete operations.

  • On the Conditions (optional) tab, click Add condition. The Add role assignment condition page appears:

animeshdas11_5-1680266938728.png

 

animeshdas11_6-1680266938737.png

 

 

  •  In the Add action section, click Add action.
  • The Select an action pane appears. This pane is a filtered list of data actions based on the role assignment that will be the target of your condition. Check the box next to Delete a blob, then click Select:

animeshdas11_7-1680266938747.png

  • In the Build expression section, click Add expression. The Expression section expands.
  • Specify the following expression settings:

Setting

Value

Attribute source

Resource

Attribute

Account Name

Operator

StringEquals

Value

name_of_a_storage_account_which_doesn't_exists

 

Important:

  • Please note that this section where you configure the expression settings is very crucial and can be done in many ways. In my scenario, I selected the above values in such a way, so that the expression evaluates to false and access is not allowed to the selected action(i.e to delete a blob). Here, in my case above, I gave a random name for the Value settings i.e Account Name that doesn’t exists at all, so the expression would ideally fail and this will help to restrict delete blob operation for selected member.
  • You can go ahead and configure it as per your desire in such a way that expression can be never true.

animeshdas11_8-1680266938756.png

  • On the Review + assign tab, click Review + assign to assign the role with the condition.
  • After a few moments, the security principal is assigned the role.

Please Note

Along with the above permission, I have given the user Reader permission at the storage account  level. You could give the Reader permission at the resource level/resource group level/subscription level too.

We mainly have Management Plane and Data Plane while providing permissions to the user.

Hence, it is important that you give minimum of ‘Reader’ role at the Management plane level to test it out in Azure Portal.

 

Step 4:

Test the condition (Ensure that the authentication method is set to Azure AD User Account and not Access key)

  • Upload blobs to blob storage container successfully.

animeshdas11_9-1680267229388.png

 

  • Download/Read blobs is successful.

animeshdas11_10-1680267229408.png

 

animeshdas11_11-1680267229419.png

  • Delete blobs from blob storage container causing the below failure.

animeshdas11_12-1680267229446.png

 

 

Note: The above solution only helps in protecting deletions of blob in container and doesn’t protect against deletion of containers.

 

If you would like to add the restriction of container deletion as well, you can explore options like acquiring a lease on the container/containers along with the above implementation.

 

Please refer Lease Container (REST API) - Azure Storage | Microsoft Learn , Manage blob containers using the Azure portal - Azure Storage | Microsoft Learn for acquiring lease over the container.

 

Conclusion:

 

You can use ABAC conditions for allowing/restricting other data actions as well based on your use case scenarios.

 

 

Related documentations:

 

  1. You can also refer to the technical blog- Custom RBAC role in Azure Storage to perform upload / download operation & restrict delete operation... which talks about using custom role at resource group level/subscription level /management group level to perform read and write operations but restrict delete operations.
  2. What is Azure attribute-based access control (Azure ABAC)? | Microsoft Learn
  3. Azure built-in roles - Azure RBAC | Microsoft Learn
  4. Tutorial: Add a role assignment condition to restrict access to blobs using the Azure portal - Azure...

 

Hope this helps!

 

Co-Authors
Version history
Last update:
‎Mar 31 2023 06:48 AM
Updated by: