To give access to Azure Blob Storage with secure authentication, you'll need to understand the different types of authentication methods available. Azure Active Directory (AAD) is the recommended authentication method for Azure Blob Storage.
AAD offers various authentication protocols, including OAuth 2.0 and OpenID Connect. These protocols enable secure authentication and authorization for Azure Blob Storage.
Azure also supports Shared Access Signatures (SAS), which provides a secure way to grant limited access to Azure Blob Storage resources.
Azure Blob Storage Permissions
To give access to Azure Blob Storage, you'll need to understand the permissions required. Permissions needed to access blob data in the Azure portal depend on how you want to authorize access, and most cases involve Azure role-based access control (Azure RBAC).
To access blob data, you need specific permissions, which are usually provided via Azure RBAC. This includes roles like Storage Blob Data Contributor, Storage Blob Data Reader, and Reader and Data Access.
Related reading: What Is Azure Storage
You can use Microsoft Entra credentials to access blob data in the Azure portal, but this requires specific permissions, including Azure RBAC roles like Azure Resource Manager Reader.
To grant permissions, you can use the built-in Storage Blob Data Contributor role by assigning roles for your storage account. This involves selecting the Storage Blob Data Contributor role and assigning access to the application or service principal.
Azure RBAC roles that provide permissions to create and manage storage accounts include the Microsoft.Storage/storageAccounts/write action. This includes roles like Azure Resource Manager Owner, Azure Resource Manager Contributor, and Storage Account Contributor.
To access blob data with the account access key, you need an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. This can be a built-in or custom role, such as Reader and Data Access or Storage Account Contributor.
You can use your Microsoft Entra account to access blob data from the Azure portal, but this requires specific permissions, including Azure RBAC roles like Azure Resource Manager Reader.
The following table summarizes the permissions required to access Azure Blob Storage:
You can also use the account access key to access blob data, but this requires specific permissions, including Azure RBAC roles like Reader and Data Access.
Broaden your view: Which Azure Storage Service Supports Big Data Analytics
Authentication and Authorization
To give access to Azure Blob Storage, you need to understand the authentication and authorization process. This involves specifying how to authorize a blob upload operation, which can be done using Microsoft Entra credentials or the account access key.
You can specify the authentication type when uploading a blob from the Azure portal by expanding the Advanced section and selecting the authentication type in the Authentication Type field.
There are two main authentication methods: Microsoft Entra authorization and account access key authorization. Microsoft Entra authorization is the default method when you create a new storage account, but you can override this setting to use the account access key instead.
You can also configure Azure Active Directory authentication by providing the application ID, OAuth 2.0 token endpoint, and application secret from the OAuth 2.0 application you created in the Azure portal.
To access blob data from the Azure portal using your Microsoft Entra account, you need to be assigned a built-in or custom role that provides access to blob data and the Azure Resource Manager Reader role.
Here are the required roles:
- Built-in roles that support access to blob data
- Azure custom roles that grant access to storage account management resources
Note that the Reader role only grants view permissions to storage account resources, not data in Azure Storage.
Log In
To log in to Azure Storage, you'll need to use Azure Active Directory (AAD) authentication. This involves creating an OAuth 2.0 application in the Azure portal.
To configure Azure Storage to use AAD for authentication, you'll need to provide the Application ID, OAuth 2.0 Token Endpoint, and Application Secret from the OAuth 2.0 application you created.
You can also log in to Azure Storage using Azure Storage Explorer, which requires your Azure account credentials. Simply follow the prompts to enter your login information.
Here are the specific values you'll need to configure Azure Storage to use AAD authentication:
- Application ID - The application (client) ID in Azure.
- OAuth 2.0 Token Endpoint - The OAuth 2.0 token endpoint (v1.0), which includes the tenant ID and is used by the application to get an access token or a refresh token.
- Application Secret - The secret key generated for the application.
Active Directory Authentication
Active Directory Authentication is a crucial aspect of Azure Storage, allowing you to access and manage your data securely. To configure Azure Storage to use Azure Active Directory for authentication, you'll need to provide specific values from your OAuth 2.0 application.
You'll need to provide the Application ID, which is the application (client) ID in Azure. You'll also need to provide the OAuth 2.0 Token Endpoint, which includes the tenant ID and is used to get an access token or a refresh token. Finally, you'll need to provide the Application Secret, which is the secret key generated for the application.
Here's a summary of the required values:
By following these steps, you'll be able to configure Azure Storage to use Azure Active Directory for authentication, ensuring secure access to your data.
Get Account Credentials
To get your account credentials, you'll need to navigate to the Azure portal and access the container where you want to upload a blob.
The Azure portal uses the current authentication method by default, which may be your Microsoft Entra account or the account access key. You can specify how to authorize a blob upload operation by following a few simple steps: navigate to the container, select the Upload button, expand the Advanced section, and indicate your preferred authentication method.
To access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. This action is included in several built-in roles, such as the Reader and Data Access role, the Storage Account Contributor role, and the Azure Resource Manager Owner role.
On a similar theme: Azure Storage Container
You can also use the Azure Resource Manager Owner role, which includes all actions, including the Microsoft.Storage/storageAccounts/listkeys/action. This role is equivalent to the classic subscription administrator roles Service Administrator and Co-Administrator.
To access Blob Storage using the REST API, you need to get the Account Name and Account Key from your Azure Portal.
Configuring Access
To configure access to Azure Blob Storage, you'll need to determine the type of access you want to grant. There are two separate settings that affect anonymous access: the anonymous access setting for the storage account and the container's anonymous access setting.
To allow or disallow anonymous access for the storage account, you'll need to have permissions to create and manage storage accounts, specifically the Microsoft.Storage/storageAccounts/write action. This action is included in built-in roles such as the Azure Resource Manager Owner role, the Azure Resource Manager Contributor role, and the Storage Account Contributor role.
To grant permissions for using Azure Storage as a data source, you can use the built-in Storage Blob Data Contributor role by assigning roles for your storage account. This role grants the necessary permissions for accessing blob data.
A unique perspective: Azure Storage Manager
Configure Cloud
To configure cloud access, you need to enable public access from selected virtual networks and IP addresses. This is usually done in step 9 of creating the storage account. If you've done this, you can proceed with configuring Printix to access your cloud storage.
The Azure Blob Storage cannot be in the same Microsoft Azure data center as your Printix Home. This is because Microsoft doesn't use public IP addresses for communication between Printix and the Azure Blob Storage when they are in the same data center.
To configure Printix to access your cloud storage, follow these steps:
- In the Microsoft Azure portal menu, select All Services.
- In the Storage category, select Storage accounts.
- Select the storage account you created.
- In the Firewall section, in Address range:
- Select Save to save your modifications.
You can also use your Microsoft Entra account to access blob data from the Azure portal. To do this, you need to be assigned a built-in or custom role that provides access to blob data, and the Azure Resource Manager Reader role, at a minimum, scoped to the level of the storage account or higher.
Anonymous Access Permissions
To configure anonymous access permissions, you need to have the right permissions. This is where Azure role-based access control (Azure RBAC) comes in, providing specific permissions to access blob data. To access blob data, you need to have the Microsoft.Storage/storageAccounts/write action, which is included in roles like the Azure Resource Manager Owner role, the Azure Resource Manager Contributor role, and the Storage Account Contributor role.
These roles must be scoped to the level of the storage account or higher to permit a user to disallow anonymous access for the storage account. Be careful to restrict assignment of these roles only to those administrative users who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks.
To disallow anonymous access for a storage account, a user must have permissions to create and manage storage accounts. Azure RBAC roles that provide these permissions include the Microsoft.Storage/storageAccounts/write action. Built-in roles with this action include the Azure Resource Manager Owner role, the Azure Resource Manager Contributor role, and the Storage Account Contributor role.
Here's a summary of the roles that provide the necessary permissions:
- Azure Resource Manager Owner role
- Azure Resource Manager Contributor role
- Storage Account Contributor role
These roles must be scoped to the level of the storage account or higher to permit a user to disallow anonymous access for the storage account.
Using Azure Blob Storage
Azure Blob Storage is a powerful tool that can be used in a variety of ways. You can use it as a low-cost, durable backup and archive solution for data that is infrequently accessed.
Azure Blob Storage is also great for storing and serving media files such as images, videos, and audio. It supports streaming of large media files, making it ideal for applications that require high-bandwidth data transfer.
To access Azure Blob Storage, you can use the Azure Blob Storage REST API, which allows developers to programmatically access Blob Storage using HTTP/HTTPS requests. This can be useful for automating tasks or integrating Blob Storage with other applications.
Here are some examples of use cases for Azure Blob Storage:
- Backup and Archive
- Media Storage and Streaming
- Web Content Storage
- Big Data Analytics
- IoT Data Storage
- Disaster Recovery
- Machine Learning
- Distributed File System
Dataset Handling
Dataset handling is a crucial aspect of working with Azure Blob Storage. You can review each option provided in the table below to set up dataset handling options to meet your needs.
If you select the default option, datasets will be automatically removed if their underlying files or folders are removed from Azure Storage. This can be useful if you're working with temporary data or need to remove old datasets to free up space.
Using REST API
To access Azure Blob Storage, you can use the Azure Blob Storage REST API, which allows you to make HTTP/HTTPS requests to programmatically access your storage.
The first step is to construct the request URL, which requires combining the Account Name, Container Name, and Blob Name.
You can use the Azure Blob Storage REST API to make requests to your storage, but you need to start by constructing the request URL correctly. This involves combining the Account Name, Container Name, and Blob Name.
Worth a look: Google Storage Api
Frequently Asked Questions
How do I share Azure blob storage?
To share Azure blob storage, sign in to the Azure portal and navigate to your data share Overview page, then select Start sharing your data. From there, you can add datasets, including Azure blob storage, to your share.
Sources
- https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal
- https://www.smikar.com/how-do-i-access-blob-storage/
- https://docshield.tungstenautomation.com/Printix/en_US/help/admin/Printix_admin/t_how_to_add_azure_blob_storage.html
- https://docs.dremio.com/cloud/sonar/data-sources/azure-storage/
- https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure
Featured Images: pexels.com