This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 76%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAH%3C/text%3E%3C/svg%3E)
Hi! I'm new to Azure and struggling to find solution to properly setup impersonation for the following use case.
Problem I'm trying to solve is pushing data to a Storage that belong to a different accounts where I have no access. It can be hundreds accounts/storages I need to work with.
The problem has the following constraints:
In order to illustrate it better, this is how above problem can be solved with other cloud providers:
AWS:
GCP:
What would be the right way to implement above scenario in Azure?
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Use the valet key pattern
More at https://learn.microsoft.com/en-us/azure/architecture/patterns/valet-key and
https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/storage
hth
Marcin
@Marcin Policht Thanks for quick response!
Please correct me if I'm wrong.
Based on the docs you provided valet key pattern looks like that for my use case:
if my understanding is right this would be too complex to setup on client side. I'm looking for a solution with minimal setup on target account but I'm ok with more complexity on my (source) side.
Is there a way to have a setup similar to AWS AssumeRole/GCP impersonation? Like using Managed Identity or similar kind of entity on both side and granting required access?
This is not set up on the client side. This is set up within a broker service - which serves as an intermediary between the client and the backend service
hth
Marcin
I'm a little bit confused now. I see how valet key pattern can be useful when there are a lot of client apps that need to upload data to a storage.
But I'm struggling to apply this concept on my use case as I need to upload data from one place to multiple target storages.
Let's assume:
Could you please help me with the following questions:
hth
Marcin
@Marcin Policht Thanks for your suggestions.
I still have a lot of questions as I'm new to Azure.
Is it possible to setup a zoom call with you and go over my questions?
Hi Andrei,
if you have any additional questions, then mark this question as answered and post another one on the forum
hth
Marcin
All my questions related to the same problem. I just need more details about suggested solution as I still don't see a full picture.
Could you provide more details on how target account grants permission to access storage/keys in vault by a Function created in my account? It would be great of you can provide step by step guide.
All my questions related to the same problem. I just need more details about suggested solution as I still don't see a full picture.
Could you provide more details on how target account grants permission to access storage/keys in vault by a Function created in my account? It would be great of you can provide step by step guide.