The next layer of protection ensures the person or application trying to access the data is authorized to. There are several different mechanisms in which to achieve this.
RBAC
Using RBAC, we can ensure a user or other type of identity (such as a managed identity or service principal) is authorized to perform a task on that data. We covered RBAC in detail in Chapter 4, Managing User Authorization, and we looked at managed identities and service principals in Chapter 6, Building Application Security.
Individual users, groups, or identities can be assigned roles like any other Azure resource, and there are several built-in roles that are available specifically for storage accounts – these include the following:
- Storage Account Contributor
- Storage Blob Data Contributor
- Storage Blob Data Owner
- Storage Blob Data Reader
- Storage Queue Data Contributor
- Storage Queue Data Reader
There are others too, and the complete list, along with the details for each role, can be found at https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage.
The key thing to understand about these roles is that the data and queues are separate from the account’s management. To view the storage account at all, a user must have the general Reader role in place. In order to manage the account, they must have at least the Storage Account Contributor role, but this does not automatically grant access to the data or queues within the accounts. Instead, these have specific blob data and queue data roles.
RBAC only comes into play with storage blob containers if containers and folders within those containers are set to private access levels. When you create a container in a storage account, you must set the access level. The options are as follows:
- Private (no anonymous access): Full RBAC is in play to control who can access an account.
- Blob (anonymous read access for blobs only): With this set, you can provide a direct link to a file in the container, and a user can access a file for reading without needing to authenticate.
- Container (anonymous read access for containers and blob): This is similar to Blob, but users can enumerate files in a container without needing to authenticate.
Access can be set at the container level or the folder level; however, be aware of setting a container to use Blob or Container access only affects whether an authenticated user can read or write the data based on an assigned role; you also need to allow access in the network level settings.
RBAC controls are not the only way to provide access to storage accounts – we can also use a Shared Access Signature (SAS).
Leave a Reply