Synapse Linked service to blob container only

sakuraime 2,321 Reputation points
2021-12-24T05:50:25.083+00:00

If my storage account has multiple containers , and I wish to grant permission for the Synapse MI to one of the container only . however , when building the linked service , it's not allow test connection and it's failed

160187-image.png

so there must be some permission need to grant to root of the storage account first. Any idea ?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,714 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,395 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 77,751 Reputation points Microsoft Employee
    2021-12-24T09:22:54.95+00:00

    Hello @sakuraime ,

    Thanks for the question and using MS Q&A platform.

    Concept of ACLS in ADLS Gen2:

    Azure Data Lake Storage Gen2 implements an access control model that supports both Azure role-based access control (Azure RBAC) and POSIX-like access control lists (ACLs). This article summarizes the basics of the access control model for Data Lake Storage Gen2.

    ACLs are applied on the file and folder level. The key thing to remember is that you are always going to need RBAC Control Plane permissions in combination with ACLs. Best practice is to assign your security principals RBAC Reader role on the Storage Account/Container level and continue with more restrictive ACLs on the file and folder level.

    There are two types of ACLs:

    • Access ACLs: They control access to an object. An object can be a file or a folder.
    • Default ACLs: These are ACLs assigned on the folder level only which get inherited as Access ACLs by the child file or folder.

    For more details, refer to Access control lists (ACLs) in Azure Data Lake Storage Gen2.

    Practical use case of ACLS in ADLS Gen2:

    To help you understand the scenario, I had created ADLS gen2 account name chepragen22 with three containers named data2020, data2021 and data2022.

    Note: I'm using the data2022 to provide access ACL for specific container with the Managed identity name: cheprasynapse.

    Here is the walk through on how to grant acl for a specific container.

    160322-adf-adlsgen2-acl.gif

    It's time to test the linked service connection for the folder - data2020, data2021, and data2022

    Note: If you test the linked service connection by using the Test connection = To linked service, it will throw the above error message.

    Try to change the linked service connection by using the Test connection = To file path and pass data2022 it will be successful.

    160259-image.png

    Here is the complete walkthrough on testing ADLS gen2 linked service:

    160160-adf-adlsgen2-acl-test.gif

    Hope this will help. Please let us know if any further queries.

    ------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators