![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 97%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYM%3C/text%3E%3C/svg%3E)
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,192 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 6%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Hi Manu,
The trick is to run Terraform with two provider blocks—one pointing at the AKS subscription (where the principal lives) and a second, aliased provider that points at the storage-account subscription (where the scope lives).
- Declare the default provider for the AKS subscription, then add
provider "azurerm" { alias = "storage" subscription_id = var.storage_subscription_id … }. - Read the identities you need (
data "azurerm_kubernetes_cluster" "aks"to grabkubelet_identity[0].object_idfor a managed-identity cluster). - Look up the storage account through the storage provider (
data "azurerm_storage_account" "sa" { … provider = azurerm.storage }). - Create the cross-subscription role assignment with that same provider alias so the request lands in the storage subscription:
resource "azurerm_role_assignment" "aks_blob_reader" { scope = data.azurerm_storage_account.sa.id # /subscriptions/<B>/resourceGroups/…/storageAccounts/… role_definition_name = "Storage Blob Data Reader" principal_id = data.azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id provider = azurerm.storage # <— executes against sub-B }
Terraform just needs whoever is running it to hold User Access Administrator or Owner on the storage subscription; the principal ID can come from any other subscription in the same tenant without extra setup. Behind the scenes this does the same thing you’d get in the CLI—az role assignment create --assignee <aks-object-id> --role "Storage Blob Data Reader" --scope /subscriptions/<sub-B>/…—only expressed as code so it lives in state and can be destroyed later.
- terraform apply, and AKS now has read access to blobs even though the account sits in a different subscription. (Cross-subscription role assignments are valid as long as both subscriptions share the same Microsoft Entra tenant.)
Best Regards,
Jerald Felix
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 24%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)