Possible to Generate File Share SAS with Managed Identity?

Jared Johnson 20 Reputation points
2023-02-03T20:01:48.0333333+00:00

We have been attempting to move most storage services access from our App Services to use Managed Identities with the appropriate minimum RBAC roles. For Azure Files services it seems clear that direct Managed Identity access is not currently supported. e.g. https://learn.microsoft.com/en-us/answers/questions/412668/azure-web-app-to-azure-file-share-using-managed-id

Would it be possible for the Managed Identity to instead generate a SAS token for the service to be used, or would the generation of the token fall under the same constraints?

We want to avoid potential issues and maintenance that could arise from things like SAS token expiry and key rotation.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,170 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,624 questions
0 comments
Accepted answer
  1. TP 76,846 Reputation points
    2023-02-04T10:00:35.3033333+00:00

    Hi,

    If I understand correctly what you would like to do it is not currently possible. Creating Service SAS for Azure Files requires storage account key since User delegated SAS can only be used for blob storage. Please see documentation below for more information:

    https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#user-delegation-sas

    If the above was helpful please click Accept Answer.

    Thanks.

    -TP

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest