Use DenyAssignments via Deployment Stack to restrict read access to specific container

Schmitz, Simon 40 Reputation points
2024-07-10T08:09:20.07+00:00

Hello,

I would like to know how I can restrict read access for a single container only. Imagine the following situation. I have a storage account "stracc" with two containers "container" and "containerdenied" inside. I would like to do this via DenyAssignments. Therefor I wrote the following bicep file "main.bicep":

param storageAccountName string = 'stracc'
param containerName1 string = 'container'
param containerName2 string = 'containerdenied'

resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
  name: storageAccountName
  location: 'germanywestcentral'
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2021-02-01' = {
  name: 'default'
  parent: storageAccount
}

resource storageContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {
  parent: blobService
  name: containerName1
}

resource storageContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {
  parent: blobService
  name: containerName2
}

Now I execute the following command via Azure CLI:

stack group create --name my_stack --deny-settings-mode DenyWriteAndDelete --action-on-unmanage detachAll --resource-group my-rg --template-file main.bicep --deny-settings-excluded-actions Microsoft.Storage/storageAccounts/blobServices/containers/containerdenied/read

Unfortunately this doesn't work. The command fails and I am pretty sure this is because of the permission "Microsoft.Storage/storageAccounts/blobServices/containers/containerdenied/read" where the specific container name is included. If I execute this command without the container name like "Microsoft.Storage/storageAccounts/blobServices/containers/read" it works perfectly fine. But then, of course, the read access is permitted for all containers. What do I have to do to only apply this to one of the containers? Thank you very much for your help!

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,362 questions
{count} votes

Accepted answer
  1. Stanislav Zhelyazkov 26,096 Reputation points MVP
    2024-07-10T08:39:36.0866667+00:00

    Hi,

    I think you have understood deployment stacks incorrectly. The stack can deny write and delete permissions on resources already assigned via Azure RBAC. It does not deny read permissions. The stack basically tries to protect the resources from changes and read permissions cannot do any change. If you have two containers and want to give read permissions to different groups just assign separate read permissions for each container to each group. Do no assign read permissions on higher scope otherwise they will automatically inherit access to lower resources as well. You could also try ABAC. ABAC allows flexible and dynamic RBAC based on attributes.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


1 additional answer

Sort by: Most helpful
  1. Nehruji R 8,166 Reputation points Microsoft Vendor
    2024-07-11T10:33:59.4266667+00:00

    Hello Schmitz, Simon,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you would like to restrict access to container for a particular user, You can assign roles at the container level. When you open a container in the azure portal, you will see the blade where you can grant Storage Data Reader / Storage Data Contributor at the user or group level.

    Service Principal:

    • Create a new service principal in Azure Active Directory.
    • Assign specific permissions to this service principal at the container level within your storage account.

    Access Control Lists (ACLs):

    • You can also use Access Control Lists (ACLs) to grant access to specific containers or files within the storage account.
    • With ACLs, you can specify the permissions that users or service principals have for specific containers or files, providing finer-grained control over data access.
    • Access Control Lists (ACLs):
      • You can also use Access Control Lists (ACLs) to grant access to specific containers or files within the storage account.
      • With ACLs, you can specify the permissions that users or service principals have for specific containers or files, providing finer-grained control over data access.

    Yes, you can use Bicep code to restrict read access for a single container in Azure Blob Storage.The Bicep code creates a storage account with containers and assigns a custom role that grants read access only to the container denied container. Replace <principal-id> with the actual ID of the user or group you want to assign the role to.

    refer -https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/blobservices/containers?pivots=deployment-language-bicep, https://learn.microsoft.com/en-us/azure/templates/microsoft.app/containerapps?pivots=deployment-language-bicep.

    Similar thread for reference - https://stackoverflow.com/questions/68164897/azure-using-bicep-to-set-storage-container-access-policy, https://learn.microsoft.com/en-us/answers/questions/1688601/how-to-limit-access-to-a-single-container-in-azure.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.