Allowing access to a specific Azure Storage Container

This is a simple example of:

• Creating an Azure Active Directory (AD) group
• Assigning a role to allow the AD group read/write/delete access to one specific Azure Storage Blob container
• Using the az cli as a user in the AD group to manage blobs in the container

The Least Privilege Model

If you’re here, it is because you understand the importance of the least privilege model, so you’ve decided to forego just assigning all your Azure developers the very wide-open Contributor role. Following the “least privilege model” is one of the best security measures you can practice as an organization. Best Practices for Azure RBAC sums it up nicely:

…it’s a best practice to grant users the least privilege to get their work done. Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. When creating custom roles, only include the permissions users need. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised.

Create an AD Group

Navigate to Azure AD and create an AD group of type Security. I’ve called minebackend-developers, and added myself as an Owner and some users as members.

Assign a Role to a Resource

I’ve created a new Azure Storage container for the purpose of this example called dev-files

Now I want to allow my backend-developers group to have read/write/delete access to the container and all of the blobs inside.

1. Click the container and select Access Control (IAM), then click Add role assignment

2. Search and select the built-in role called Storage Blob Data Contributor and click Next.

Your level of access depends entirely on your own company’s needs. If a built-in role doesn’t fit your needs, your can create a Custom Role.

3. Select the Members to assign this role to. For this example, it’s our backend-developers group:

4. Hit Next, then hit Next again to skip the Condition section (since we don’t have any custom condition to set),

5. Hit OK/Done on the Review + Assign screen to finish applying the role.

Using the Azure CLI to access a container

To download multiple blobs from the dev-filescontainer that match a pattern with the prefix somefile- and save them to a local directory under /Users/me/.dev-files :

az login # as user in the backend-developers group
az storage blob download-batch \
    --auth-mode login \
    --subscription my-subscription \
    -d /Users/me/.dev-files \
    --pattern "somefile-*" \
    -s "dev-files"
    --account-name mystorageacct

One of the “gotchas” I hit when setting this up was getting a 404 error:

The specified resource does not exist. ErrorCode: ResourceNotFound

The solution was to set --auth-mode login so the az cli authenticates against AD which allows it to realize the AD roles assigned to the user (via the AD group they are in) making the request. The default is --auth-mode key , where the az cli will instead use the account access key for storage operations, which will not work in this scenario. See docs on this for background.

Thanks and if any thoughts or questions, drop them in a comment!