question

VikasTiwari-2263 avatar image
0 Votes"
VikasTiwari-2263 asked VikasTiwari-2263 commented

APIM access to storage account with ACL

I have few APIM proxies which inserts incoming payloads into different ADLS Gen2 folders.

i.e. /api/v1/customer will store payload into "mycontainer/customers" folder at ADLS Gen2
/api/v1/product will store payload into "mycontainer/products" folder at ADLS Gen2

APIM using MSI to access storage account using contributor role.

Can I fine grain security using ACL and give access at folder level to specific APIM proxy? (i.e. using above scenario /api/v1/customer must only post data into "mycontainer/customers" folder, and should throw error if try to post payload into wrong folder such as "mycontainer/products").

Thanks.


azure-data-lake-storageazure-api-managementazure-rbac
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PRADEEPCHEEKATLA-MSFT avatar image
0 Votes"
PRADEEPCHEEKATLA-MSFT answered VikasTiwari-2263 commented

Hello @VikasTiwari-2263,

Thanks for the question and using MS Q&A platform.

Unfortunately, you cannot use fine grain security using ACL and give access at folder level to specific APIM proxy.

Reason: Azure API Management relies on Azure role-based access control (Azure RBAC) to enable fine-grained access management for API Management services and entities (for example, APIs and policies).

API Management currently provides three built-in roles and will add two more roles in the near future. These roles can be assigned at different scopes, including subscription, resource group, and individual API Management instance.

200215-image.png

For more details, refer to How to use Role-Based Access Control in Azure API Management

You can associate a security principal with an access level for files and directories. Each association is captured as an entry in an access control list (ACL).

For more details, refer to Access control lists (ACLs) in Azure Data Lake Storage Gen2.

Hope this will help. Please let us know if any further queries.

  • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how

  • Want a reminder to come back and check responses? Here is how to subscribe to a notification

  • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators


image.png (19.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VikasTiwari-2263 avatar image VikasTiwari-2263 ·

Thanks @PRADEEPCHEEKATLA-MSFT for confirming it and providing further details.

1 Vote 1 ·