Welcome to the Microsoft Q&A Platform. Thank you for reaching out, and I hope you are doing well.
From your comments I understand the application hosted in Azure App Service trying to Access storage using Managed Identity Via Private End point.
To connect Azure storage via Private Endpoint, please refer
- https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal?tabs=dynamic-ip
- https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
If you are using Managed Identity there are 2 ways to do the same. You select either one to connect to Azure storage
- System Assigned
- User Assigned
To configure System Assigned you can leverage the following steps. Since there was no preference for programming Language shared, I have tested using Python.
- Grant the Managed Identity Access to the Storage Account: In your storage account, select Access Control (IAM). Click Add and select add role assignment. Search for storage blob data Owner (necessary permission as required) , select it, and click Next.
- On the Members’ tab, under Assign access to, choose Managed Identity. Select Member a blade will open in Azure Portal on your right side.
- On that blade select the correct subscription, Resource and from the Button Select and Click Next
- On Review+Sign at the buttom Review + Assign
6 Use the following snippet in Azure Appservice and deploy
from azure.storage.blob import BlobServiceClient
from azure.identity import ManagedIdentityCredential
# Create a credential using ManagedIdentityCredential
creds = ManagedIdentityCredential()
# Create a BlobServiceClient using the credential
blob_service_client = BlobServiceClient(account_url="https://<storage Account>.blob.core.windows.net/", credential=creds)
# List all containers in the storage account
containers = blob_service_client.list_containers()
for container in containers:
print(container.name)
To configure User Assigned you can leverage the following steps.
Please Refer https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview
- Create a Managed Identity. Please Refer https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp.
- Assign the correct Role to the user-assigned Identity (created in step 1) in the Storage Account (Refer to the screenshot).
- Assign the User Identity to the Resource where the application will be deployed, for exampleAzure App service please refer https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#add-a-user-assigned-identity
- Please repeat the step 3 if you are deploying the code in multiple resources.
- Log into the Dev computer's Visual Studio with the user credentials who have relevant access to the Azure storage used in Step 2.
- Copy the Client ID for the Managed Identity created in Step 1.
7) Leverage the following demo code from your dev computer and deploy the same code in the resource configured in Step 4, which will list the containers.
from azure.storage.blob import BlobServiceClient
from azure.identity import DefaultAzureCredential
# Create a credential using ManagedIdentityCredential
#In step 6 please use the client ID here assign to following variable UserAsignedclinetID
UserAsignedclinetID = "XXXXX-XXXXXX-XXXXXX-XXXX-XXXXXXXXXX"
creds = DefaultAzureCredential(managed_identity_client_id=UserAsignedclinetID)
# Create a BlobServiceClient using the credential
blob_service_client = BlobServiceClient(account_url="https://samitstorage.blob.core.windows.net/", credential=creds)
# List all containers in the storage account
containers = blob_service_client.list_containers()
for container in containers:
print(container.name)
Hope this Helps.
Thanks.