Unable to get user delegation key with appservice, custom docker image, and user-managed id

Question

Hi,

I have a simple Java/Spring Boot application running in a custom Docker image on an App Serivce. One of the API of the app is to create a SAS token on a Blob container using User Delegation Key.

On my dev machine, the app is able to create a token using my Entra ID with no connection string or account key. There is no issue.

When deployed to App Service, the app has the following:

SPRING_CLOUD_AZURE_STORAGE_BLOB_CREDENTIAL_MANAGEDIDENTITYENABLED=true

The App Service is assigned a user managed id and the id is given access to the Blob Storage via RBAC Role Definition as an Storage Blob Owner on the Storage Account instance.

However, the call to get user delegation key fails with the following:

If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call.`` ``If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call.`` ``Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII.`` ``Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.`` ``RequestId:f8f4bd01-101e-0053-2bed-896284000000`` ``Time:2024-04-08T19:50:14.8108467Z</Message></Error>"

I have checked multiple times on the role assignment. It looks fine.

This same app accesses a CosmosDB using the same managed id. There is no problem there.

Is this something supported? Or am I missing something? Can someone help?

Thanks.

Lei

Answer 1

@Lei Yang Because the Get User Delegation Key operation acts at the level of the storage account, the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action must be scoped at the level of the storage account, the resource group, or the subscription.

If the security principal is assigned any of the previously listed built-in roles, or a custom role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action, at the level of the storage account, the resource group, or the subscription, the security principal will be able to request the user delegation key.

If the security principal is assigned a role that permits data access but is scoped to the level of a container, you can additionally assign the Storage Blob Delegator role to that security principal at the level of the storage account, resource group, or subscription.

The Storage Blob Delegator role grants the security principal permissions to request the user delegation key.

For more information about RBAC roles for Azure Storage, see Authorize with Azure Active Directory.

Note that- The user delegation key can't be used to access Blob Storage resources directly.

You can use the user delegation key to create a user delegation SAS. Include the fields that are returned on the response to the Get User Delegation Key in the user delegation SAS token.

For more information, see Create a user delegation SAS.

Authorize requests to Azure Storage