Allow user-based access to Blob Containers (for support employees)
For auditing purposes and to prevent data corruption, we want to give our support employees a user-centric, read-only access to Blob Containers in order to be able to investigate possible data corruptions (caused by bugs in systems).
This is not possible now because the security architecture of Blob Service does not even know the concept of users or roles.
SAS is not secure enough mechanism because it gives access to anyone by just sharing a link + you can't track who's actually using it.
Thank you for you feedback. Currently we are in public preview of Azure Active Directory authentication for storage. This feature set allows you to use Azure’s role-based access control framework to grant specific permissions to users, groups and applications down to the scope of an individual blob container or queue. You can see the public preview announcement here: https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-aad-authentication-for-storage/
For any further questions, or to discuss your specific scenario, send us an email at firstname.lastname@example.org.
Dillon Brown commented
The Storage Blob Data Reader (Preview) role needs to be able to see accounts/blobs in the portal. Shouldn't' it have the Microsoft.Storage/storageAccounts/listkeys/action role to enable this?
it should support Azure AD B2C.
Best would be if custom domains were supported along with forms authentication and a the possibility of setting up a web "callback" used by the storage for validating a requeest
Any news on the AD integration with Blob Storage containers?
Peter Schmatz - Microsoft commented
You cannot do this directly. One option would be to create a WebService with AAD/AD integration, which authenticates the user, and then read/write data to the Blob (you could hard code the storage keys in the web app) Here’s another idea using Azure Key Vault http://www.dushyantgill.com/blog/2015/04/26/say-goodbye-to-key-management-manage-access-to-azure-storage-data-using-azure-ad/
Ganesh Majeti commented
Do we have a way to tag specific AD users to be allowed to access a blob? if not when can we expect this feature?
This seems to parallel https://feedback.azure.com/forums/217298-storage/suggestions/8587855-provide-acl-via-rbac-on-containers-and-logical-fol where is appears they are also asking down to the folder level. It would certainly be nice to go down to the virtual folder, but the container would be a good first step. Currently the closest option is "contributer" at the account level which opens way more rights to *all* storage under that account.
Vojtech Vit commented
It's actually also useful for our testers in environments they are not allowed to have write access to.
Shawn Cicoria commented
Should have the ability to apply RBAC on a container using the AAD group or principal and folders (logical) should support these same set of ACLs.
enable oAuth 2.0 for Azure Storage Tables/Blobs