Accessing the ADLS Gen 2 Storage account using service principal having OAuth RBAC roles or ACL permissions via REST API.
Pre-requisites for Azure AD OAuth RBAC role:
1. For calling the REST API with a service principal having OAuth RBAC role permission on the ADLS Gen2 storage, you need to generate a bearer token using the tenant, client id and client secret. For more details on generating bearer token refer this article
While everything that’s being discussed in the above article remains same while generating the bearer token, following are the changes that needs to be done while generating bearer token:
Example: For the read-only access at the storage account and read, write, delete access for the data, you can assign a management role “Reader” at the storage account level and a data role “Storage Blob Data Contributor” either at the storage account level or filesystem level.
RBAC role demo:
Once you have followed the above steps, you can make the REST API with the following headers:
Sample REST API call to list the filesystems of an ADLS Gen2 storage account using the RBAC permissions of Service principal:
Pre-requisites for configuring ACLs for ADLS Gen2:
You can provide the ACLs to filesystems, directories and files, but you need to make sure the user/service principal has at least Execute(X) permission at the filesystem level and on all the child directories. More details on the ACL on ADLS Gen 2 can be found here.
In this case, you don’t need a ‘Reader’ permission on the storage account to do data operation on the filesystems and directories. However if the user wants to access the data via a client, Install Storage Explorer and ensure that you have provided the ‘Reader’ permissions to the user on the storage account level to list the filesystems.
Note: If RBAC and ACLs are assigned to the same user. RBAC will take the precedence over ACL and the ACL check is not performed.
ACL demo for ADLS Gen 2:
Consider the below scenario where the service principal needs just a Read ONLY access on the file:
You can make the REST API with the following headers,
Sample REST API call for reading the file:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.