Resource scope for blobs and queues

Posted on by zeusexam

 

Resource scope for blobs and queues

It is also important to determine the scope of the access for the security principal before you assign an RBAC role. You can narrow the scope to the container, queue, or table level. Here are the valid scopes:

  • Container The role assignment will be applicable at the container level. All the blobs inside the container, the container properties, and the metadata will inherit the role assignment when this scope is selected.
    • Queue The role assignment will be applicable at the queue level. All the messages inside the queue, as well as queue properties and metadata, will inherit the role assignment when this scope is selected.
    • Table The role assignment will be applicable at the table level. All tables and entities within the storage account will be accessible based on the role assignment with this scope.
    • Storage account The role assignment will be applicable at the storage account level. All the containers, blobs, queues, and messages within the storage account will inherit the role assignment when this scope is selected.
    • Resource group The role assignment will be applicable at the resource group level. All the containers or queues in all the storage accounts in the resource group will inherit the role assignment when this scope is selected.
    • Subscription The role assignment will be applicable at the subscription level. All the containers or queues in all the storage accounts in all the resource groups in the subscription will inherit the role assignment when this scope is selected.

Entra ID authentication and authorization in the Azure portal

In the following example, you will learn how to configure the Entra ID authentication method to allow users to access the blob data.

In Figure 2-16, you can see the examref container has one blob named SampleFile.txt. Also, notice that the authentication method is currently set as Access Key.

FIGURE 2-16  The Overview blade of examrefcontainer

Click Switch To Microsoft Entra User Account to change the authentication method.

You will see a warning message indicating that you do not have permission to list the data (see Figure 2-17).

FIGURE 2-17  Warning message that you don’t have permission

Now you’ll assign the Storage Blob Data Reader role to the logged-in user at the container level.

  1. Open the Access Control (IAM) blade for the container and select Add, Add Role Assignment.
  2. On the Role tab, select the Storage Blob Data Reader role, and then click Next.
  3. On the Members tab, select your user account.
  4. Click Review + Assign twice to apply the role assignment (see Figure 2-18).

FIGURE 2-18 Storage Blob Data Reader role assignment

You should now see the user with the role Storage Blob Data Reader, which appears under the Role heading (see Figure 2-19).

FIGURE 2-19  Role assignments for examrefcontainer

If you navigate to the Overview blade of examref now, you will see the SampleFile.txt blob with the authentication method shown as Microsoft Entra User Account (see Figure 2-20).

FIGURE 2-20 The Overview blade of examrefcontainer

Leave a Reply

Your email address will not be published. Required fields are marked *