Share via

Blob Storage with Private Endpoint and Managed Identity to connect to storage

Nathan88 0 Reputation points
2023-11-21T14:43:51.8166667+00:00

Hello,

For my App Service I would like to integrate a Storage Account (Blob Storage).
However, I don't want the Blob Storage to be able to accessed by Public Access, so basically I'd like to use Private Access (through Private endpoint?).

Also I would like to enable Managed Identity, so that the Blob Storage is only accessible through the App Service only.

I tried to look for a tutorial, but I cannot seem to find a complete one to achieve the above.

Is there anyone who could provide me the steps that I have to execute to achieve the above?

Thank you in advance.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,528 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
478 questions
Microsoft Entra Private Access
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
47 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
801 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SAMIT SARKAR 791 Reputation points Microsoft Employee
    2023-11-21T17:12:06.7666667+00:00

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out, and I hope you are doing well.

    From your comments I understand the application hosted in Azure App Service trying to Access storage using Managed Identity Via Private End point.

    To connect Azure storage via Private Endpoint, please refer

    1. https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal?tabs=dynamic-ip
    2. https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

    If you are using Managed Identity there are 2 ways to do the same. You select either one to connect to Azure storage

    1. System Assigned
    2. User Assigned

    To configure System Assigned you can leverage the following steps. Since there was no preference for programming Language shared, I have tested using Python.

    1. Grant the Managed Identity Access to the Storage Account: In your storage account, select Access Control (IAM). Click Add and select add role assignment. Search for storage blob data Owner (necessary permission as required) , select it, and click Next. User's image
    2. On the Members’ tab, under Assign access to, choose Managed Identity. Select Member a blade will open in Azure Portal on your right side.
    3. On that blade select the correct subscription, Resource and from the Button Select and Click Next

    User's image

    1. On Review+Sign at the buttom Review + Assign

    User's image

    6 Use the following snippet in Azure Appservice and deploy 

    from azure.storage.blob import BlobServiceClient
from azure.identity import ManagedIdentityCredential

# Create a credential using ManagedIdentityCredential
creds = ManagedIdentityCredential()

# Create a BlobServiceClient using the credential
blob_service_client = BlobServiceClient(account_url="https://<storage Account>.blob.core.windows.net/", credential=creds)

# List all containers in the storage account
containers = blob_service_client.list_containers()
for container in containers:
    print(container.name)

    To configure User Assigned you can leverage the following steps.

    Please Refer https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

    1. Create a Managed Identity. Please Refer https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp.
    2. Assign the correct Role to the user-assigned Identity (created in step 1) in the Storage Account (Refer to the screenshot).

    enter image description here

    1. Assign the User Identity to the Resource where the application will be deployed, for exampleAzure App service please refer https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#add-a-user-assigned-identity
    2. Please repeat the step 3 if you are deploying the code in multiple resources.

    enter image description here

    1. Log into the Dev computer's Visual Studio with the user credentials who have relevant access to the Azure storage used in Step 2.
    2. Copy the Client ID for the Managed Identity created in Step 1.

    enter image description here 7) Leverage the following demo code from your dev computer and deploy the same code in the resource configured in Step 4, which will list the containers.

    from azure.storage.blob import BlobServiceClient
from azure.identity import DefaultAzureCredential


# Create a credential using ManagedIdentityCredential
#In step 6 please use the client ID here assign to following variable UserAsignedclinetID
UserAsignedclinetID = "XXXXX-XXXXXX-XXXXXX-XXXX-XXXXXXXXXX"
creds = DefaultAzureCredential(managed_identity_client_id=UserAsignedclinetID)
# Create a BlobServiceClient using the credential
blob_service_client = BlobServiceClient(account_url="https://samitstorage.blob.core.windows.net/", credential=creds)

# List all containers in the storage account
containers = blob_service_client.list_containers()
for container in containers:
    print(container.name)

    Hope this Helps.

    Thanks.

    1 person found this answer helpful.