Connection String for Accessing Storage With a Managed Identity

Question

When connecting to a storage account with an app service managed identity, DefaultAzureCredential can be used as described here.

This has however some downsides for development, such as the need to assign RBAC roles for each developer accessing storage or login when running the app.

Is there a special connection string for connecting to blob storage with a managed identity encapsulating the logic that DefaultAzureCredential provides?

My thinking is, if I could connect the same way from a local PC (connection string with the access key stored in Visual Studio user secrets) as well as in Azure (connection string with managed identity) the problem would go away. So I'm looking for something similar to the SQL connection string Server=demo.database.windows.net; Authentication=Active Directory Managed Identity; Database=testdb but for blob storage.

Answer 1

@matalheart-802 Here are some authorization methods used for Storage in Azure.

Shared Key authorization for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see Authorize with Shared Key.

Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Azure AD or a user delegation SAS to authorize requests for data in that storage account. For more information, see Prevent Shared Key authorization for an Azure Storage account.

Shared access signatures for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid. A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Azure AD credentials and applies to blobs only. For more information, see Using shared access signatures (SAS).

Azure Active Directory (Azure AD) integration for authorizing requests to blob, queue, and table resources. Microsoft recommends using Azure AD credentials to authorize requests to data when possible for optimal security and ease of use. For more information about Azure AD integration, see the articles for either blob, queue, or table resources.

You can use Azure role-based access control (Azure RBAC) to manage a security principal's permissions to blob, queue, and table resources in a storage account. You can also use Azure attribute-based access control (ABAC) to add conditions to Azure role assignments for blob resources.

Based on your ask, I think Shared access signature would be what you may be looking for- https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#user-delegation-sas

User delegation SAS
A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

Service SAS
A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

Account SAS
An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.

Does this answer your question? If not, please do let me know and I can suggest further. Thank you!

Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.