Read Only Access to Azure Storage Account Blob Containers via Azure CLI?

%3CLINGO-SUB%20id%3D%22lingo-sub-359229%22%20slang%3D%22en-US%22%3ERead%20Only%20Access%20to%20Azure%20Storage%20Account%20Blob%20Containers%20via%20Azure%20CLI%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359229%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20is%20it%20currently%20possible%20to%20to%20provide%20read%20only%20access%20to%20Azure%20Storage%20Account%20blob%20containers%20via%20Azure%20CLI%3F%20It%20appears%20that%20once%20you%20connect%20to%20Azure%20via%20Azure%20CLI%2C%20it%20is%20just%20using%20the%20Storage%20Account's%20access%20key%20for%20all%20operations%20against%20the%20container%2C%20regardless%20of%20the%20RBAC%20rights%20associated%20with%20the%20SP%20I%20connect%20with.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-359229%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20%2B%20Storage%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360767%22%20slang%3D%22en-US%22%3ERe%3A%20Read%20Only%20Access%20to%20Azure%20Storage%20Account%20Blob%20Containers%20via%20Azure%20CLI%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360767%22%20slang%3D%22en-US%22%3E%3CP%3EUnfortunately%20that's%20not%20how%20Azure%20CLI%26nbsp%3B%20works%20currently.%20I%20did%20find%20the%20actual%20solution%20though%20in%20this%20case.%20You%20need%20to%20assign%20Reader%20and%20the%20preiew%20Storage%20Blob%20Data%20Reader%20role%2C%20then%20enable%20preview%20features%20in%20Azure%20CLI%20with%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eaz%20extension%20add%20-n%20storage-preview%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%2C%20add%20%22--auth-mode%20login%22%20to%20your%20az%20storage%20commands%20after%20logging%20in%20with%20the%20SP%20that%20has%20only%20read-only%20rights.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20shipped%2C%20Azure%20CLI%20interactions%20with%20storage%20accounts%20are%20always%20using%20the%20account%20keys.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359580%22%20slang%3D%22en-US%22%3ERe%3A%20Read%20Only%20Access%20to%20Azure%20Storage%20Account%20Blob%20Containers%20via%20Azure%20CLI%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359580%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293944%22%20target%3D%22_blank%22%3E%40unixdespair%3C%2FA%3E%26nbsp%3B%20good%20night.%3C%2FP%3E%3CDIV%3E%3CFONT%3E%3CBR%20%2F%3EYou%20can%20set%20the%20IAM%20Role%20for%20the%20user%20in%20the%20container%20level%2C%20if%20you%20set%20reader%20role%2C%20so%20this%20user%20will%20just%20can%20read%20the%20blobs%20inside%20your%20storage%20account%20and%20with%20it%20you%20minimize%20the%20access%20just%20to%20specific%20container.%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%3EHowever%2C%20if%20the%20user%20has%20one%20of%20the%20storage%20account%20Keys%20(Key1%20or%20Key2)%20of%20you%20storage%20account%2C%20this%20user%20can%20do%20everything%20in%20this%20storage%20account%20until%20that%20the%20storage%20access%20keys%20has%20been%20regenerated%2C%20it's%20quite%20importante%20do%20not%20share%20de%20access%20Keys%2C%20i%20don't%20know%20if%20it's%20the%20case%20but%2C%20could%20use%20SAS(shared%20access%20signature).%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20hope%20it%20can%20help%20you.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi, is it currently possible to to provide read only access to Azure Storage Account blob containers via Azure CLI? It appears that once you connect to Azure via Azure CLI, it is just using the Storage Account's access key for all operations against the container, regardless of the RBAC rights associated with the SP I connect with.

 

2 Replies

Hi @unixdespair  good night.


You can set the IAM Role for the user in the container level, if you set reader role, so this user will just can read the blobs inside your storage account and with it you minimize the access just to specific container.
However, if the user has one of the storage account Keys (Key1 or Key2) of you storage account, this user can do everything in this storage account until that the storage access keys has been regenerated, it's quite importante do not share de access Keys, i don't know if it's the case but, could use SAS(shared access signature).
 
I hope it can help you.
 
 

Unfortunately that's not how Azure CLI  works currently. I did find the actual solution though in this case. You need to assign Reader and the preiew Storage Blob Data Reader role, then enable preview features in Azure CLI with:

 

az extension add -n storage-preview

 

Then, add "--auth-mode login" to your az storage commands after logging in with the SP that has only read-only rights.

 

As shipped, Azure CLI interactions with storage accounts are always using the account keys.