How to properly setup impersonation in Azure?

Andrei Harbunou 0 Reputation points
2024-03-19T21:35:25.1766667+00:00

Hi! I'm new to Azure and struggling to find solution to properly setup impersonation for the following use case.

Problem I'm trying to solve is pushing data to a Storage that belong to a different accounts where I have no access. It can be hundreds accounts/storages I need to work with.

The problem has the following constraints:

  1. I can't ask for target account credentials and I can't share credentials for my account with other account managers. However, I can provide steps for account managers so they can allow impersonation.
  2. I don't need to run a VM inside Azure. (I can potentially relax on this one if there is no other way)

In order to illustrate it better, this is how above problem can be solved with other cloud providers:

AWS:

  1. I create a role on my side. let's call it MyRole.
  2. Account manager creates a role that can access a bucket on their side. let's call it TargetRole
  3. Account manager creates trusted relationship between MyRole and TargetRole, so that I can use MyRole to call AssumeRole API and get temp credentials for TargetRole and access the bucket.

GCP:

  1. I create service account on my side. let's call it MyServiceAccount.
  2. Account manager creates a service account that can access a bucket on their side. let's call it TargetServiceAccount
  3. Account manager grants MyServiceAccount access to impersonate TargetServiceAccount. Now I can use MyServiceAccount to call impersonation API and get temp credentials for TargetServiceAccount and access the bucket.

What would be the right way to implement above scenario in Azure?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,158 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marcin Policht 24,120 Reputation points MVP
    2024-03-19T22:38:43.5733333+00:00

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.