How to get the url of an uploaded blob using user-assigned managed identities?

Question

How to get the url of an uploaded blob using user-assigned managed identities?

carom-9728 21

I am running a function app that it gets triggered when an item of specific type is uploaded to a storage account, and it processes the item uploaded to it.

A function I wrote needs the url to the blob as an input.

Before I was passing the url as shown below, and it worked.

https://<storage-account-name>.blob.core.windows.net/<path-to-file-location>/<name-of-uploaded-file>?<sas-token>

Now, I want to use user-assigned managed identities to access the blob. I can successfully create the credential and service to the blob.
- The user-assigned managed identity and the Function App have been given Storage Blob Data Contributor permissions on the storage account used.
- What would the url I need to pass to my function should look like? If I pass only the below, it does not work.

https://<account-name>.blob.core.windows.net/<path_to_file_location>/<name_of_uploaded_file>

My question:

How should I pass the url to the uploaded item to the function, if I am using user-assigned managed identities / shouldn't need a sas token anymore?

1 answer

Your answer

Answer 1

Andriy Bilous 11,821 MVP Volunteer Moderator

Hello @carom-9728

You can use Managed Identity to link Azure Function with Azure Blob storage. You need to enabled Managed Identity in Azure Functions and give it permissions in Azure Storage Account(select the role “Storage Blob Data Contributor” for example).
http://www.klaushaller.net/?p=1312

After that you will be able to download file in code(.Net example):

    var myBlobUrl = " https://<account-name>.blob.core.windows.net/<path_to_file_location>/<name_of_uploaded_file>";  
    BlobClient bc = new BlobClient(new Uri(myBlobUrl), myCredentials);  

    log.LogInformation("**2**");  

    BlobDownloadResult downloadResult = await bc.DownloadContentAsync();  
    string downloadedData = downloadResult.Content.ToString();

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage

carom-9728 21 Reputation points

2022-12-08T15:20:31.01+00:00
Hi @Andriy Bilous

These are the permissions given:

Managed Identity: Storage Blob Data Contributor role in Azure Storage

Managed Identity: Enabled in Azure Function App

Managed Identity: Contributor role in Azure Function App

Azure Function App: Storage Blob Data Contributor role in Azure Storage

And this is how I create the client and credential:

userAssignedClientId = "my_MI_ID_string" account_url = "https://<my_storage_account_name>.blob.core.windows.net" default_credential = DefaultAzureCredential(managed_identity_client_id=userAssignedClientId) blob_service_client_origin = BlobServiceClient(account_url=account_url, credential=default_credential)

As I mentioned on my original post, I wrote a function that expects the path to the object uploaded.

If I pass the uri of the file uploaded as below, it fails:

https://<account-name>.blob.core.windows.net/<path_to_file_location>/<name_of_uploaded_file>

However if I pass the uri as below (as I was doing with sas tokens) the code runs successfully.

https://<account-name>.blob.core.windows.net/<path_to_file_location>/<name_of_uploaded_file>?<sas-token>

Any idea what am I doing wrong? I want to avoid generating SAS tokens for the code to run

Share via

How to get the url of an uploaded blob using user-assigned managed identities?

1 answer

Your answer