This is a simple example of:

  • Creating an Azure Active Directory (AD) group
  • Assigning a role to allow the AD group read/write/delete access to one specific Azure Storage Blob container
  • Using the az cli as a user in the AD group to manage blobs in the container

The Least Privilege Model

If you’re here, it is because you understand the importance of the least privilege model, so you’ve decided to forego just assigning all your Azure developers the very wide-open Contributor role. Following the “least privilege model” is one of the best security measures you can practice as an organization.


Hi Matt, thanks for posting this. I found that you can do it all with terraform, i.e. without needing the func command. Here's some extra TF that will:

1. zip up the entire app function's local directory

2. push the zip to a storage container

3. tell Azure App Services to grab the function from the storage container (using the `WEBSITE_RUN_FROM_PACKAGE` app setting

The zip only happens when something under the function's local directory has changed.

```

locals {

my_function_dir_path = "${path.module}/../../../my-function-app"

zip_output_path = "${path.module}/my-function-app.zip"

}

# zip up the app

data "archive_file" "my_function_zip" {

type = "zip"

source_dir =…


Secrets Manager is an AWS service that lets you securely store passwords, keys, tokens, and other sensitive data. By using Secrets Manager, you can level up your secrets management game with scheduled rotation, fine-grained access control through IAM, and auditing.

If you’re running Kubernetes, your applications need a way to retrieve these secrets from Secrets Manager. Unfortunately, there is currently no native integration between AWS Secrets Manager and EKS (or Kubernetes in general).

So, here are a few ways to get your application access to the secrets it needs. …

Jason Ashby

DevOps Engineer @ Athos

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store