Azure storage Adls blob container set read only

Pankaj Joshi 331

I have storage account with hierarchical namespace enabled. Now I have container "test" where I have uploaded one file, I need this file to be read only so that no one can update it. Now problem is "test" container inherit rbac role "storage data contributor" from parent which cannot be removed. How can I make file or container read only? Is it possible by ACL or any other option? Please advise

Nehruji R 7,306 Reputation points Microsoft Vendor

2024-09-05T07:17:00.95+00:00

Hi, we hope the below answer helped if yes please accept the answer else, please let us know if you have any further queries. I’m happy to assist you further.
Pankaj Joshi 331 Reputation points

2024-09-05T08:09:43.6666667+00:00

No solution does not seems to working. I tried below click command using task AZURECLI@2 and it run successfully BUT it do not have any impact, I am still able to edit filename.txt residing in container "test". I tried to do directly from portal also but no luck? Please advise. Also note that it's not accepting angle bracket in cl so I have used double quote as shown below. Please advise how can I use Access Control Lists (ACLs) to override the inherited permissions of storage data contributer role

az storage fs access set --acl "user::r--,group::r--,other::r--" --path "filename. txt" --account-name "mystorageacct"--file-system " test"

1 answer

Sina Salam 10,036 Reputation points

2024-09-04T15:49:25.54+00:00
Hello Pankaj Joshi,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you have a challenge with your container which inherit RBAC role "storage data contributor" from parent and cannot be removed.

Regarding your questions:

How can I make file or container read only? Is it possible by ACL or any other option?

Yes, it is possible with ACL. You can the container read-only despite the inherited "Storage Blob Data Contributor" role, by using Access Control Lists (ACLs) to override the inherited permissions. Also, as an option, you can use Azure rbac as well as ACL. https://video2.skills-academy.com/en-us/azure/storage/blobs/assign-azure-role-data-access and https://video2.skills-academy.com/en-us/azure/storage/blobs/storage-auth-abac

You can follow the below guides to achieve read-only implementation using Azure CLI or this YouTube link https://youtu.be/hjaP7u5d0x8 for more details on configurations and Azure Storage Explorer.

# Set ACLs on the File az storage fs access set --acl "user::r--,group::r--,other::r--" --path <file-path> --account-name <storage-account-name> --file-system <container-name> # Set ACLs on the Container az storage fs access set --acl "user::r-x,group::r-x,other::r-x" --path <container-name> --account-name <storage-account-name> --file-system <container-name> # Use Azure Attribute-Based Access Control (ABAC) az role assignment create --role "Storage Blob Data Reader" --assignee <user-principal-name> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container-name>

NOTE: Run the code one after the other and provide appropriate information for everything in a angle bracket < -- >.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
Please sign in to rate this answer.
Pankaj Joshi 331 Reputation points

2024-09-05T09:09:27.7033333+00:00

No solution does not seems to working. I tried below click command using task AZURECLI@2 and it run successfully BUT it do not have any impact, I am still able to edit filename.txt residing in container "test". I tried to do directly from portal also but no luck? Please advise. Also note that it's not accepting angle bracket in cl so I have used double quote as shown below. Please advise how can I use Access Control Lists (ACLs) to override the inherited permissions of storage data contributer role

az storage fs access set --acl "user::r--,group::r--,other::r--" --path "filename. txt" --account-name "mystorageacct"--file-system " test"

Sina Salam 10,036 Reputation points

2024-09-05T09:25:36.5433333+00:00

Hi

Thank you for your feedback.

The code as you posted is like this, don't use qoute.

az storage fs access set --acl "user::r--,group::r--,other::r--" --path "filename. txt" --account-name "mystorageacct"--file-system " test"

Please, observe typo errors in your code, put space where space should be, what you posted as a code can not work.

This code above is edited see the below edited version:

az storage fs access set --acl "user::r--,group::r--,other::r--" --path filename.txt --account-name mystorageacct --file-system test

This command sets the ACL for filename.txt in the test file system of the mystorageacct storage account, granting read-only access to the user, group, and others.

If the path specified is not correct it will never work. please check appropriately.

Success

Pankaj Joshi 331 Reputation points

2024-09-05T10:24:43.6066667+00:00

I tired after removing quotes also, pipeline successfully run but it seems to have NO impact on ACL. see screenshot

. I am still able to edit file. I don't think it's overriding inheritance permission. Please advise

Sina Salam 10,036 Reputation points

2024-09-06T16:58:24.2+00:00

So sorry for the stress,

Check properly something is missing somewhere, this is hierarchical fine-grained tested implementation. You can use your Azure Support direct from Azure Portal.

Pankaj Joshi 331 Reputation points

2024-09-09T10:12:25.54+00:00

I checked ACL at file level and user, group and other are set correctly to "read only" but no impact, I am still able to edit file. Anyway I have opened Azure support ticket

Sina Salam 10,036 Reputation points

2024-09-09T13:04:54.77+00:00

Hello Pankaj Joshi,

Test with another account.

Pankaj Joshi 331 Reputation points

2024-09-09T14:52:50.0066667+00:00

Just noticed that ADLS authentication type is access key. Could this be the reason why rbac and acl is not working

Sina Salam 10,036 Reputation points

2024-09-09T15:57:53.15+00:00

Hi Pankaj Joshi,

Thank you for finding out the access key, and also raise support ticket on Azure Portal.

That's just it, in Azure Data Lake Storage (ADLS) when you use an access key, the system does not associate the request with any identity, which means that RBAC and ACL checks are bypassed. https://video2.skills-academy.com/en-us/azure/storage/blobs/data-lake-storage-access-control

Thank you.

Pankaj Joshi 331 Reputation points

2024-09-10T07:55:43.86+00:00

Hi Sina,

In case of access key how do we make specific container read only, is it possible through below powershell command "Set-AzRoleAssignment " as mentioned in https://video2.skills-academy.com/en-us/azure/storage/blobs/storage-auth-abac-examples?tabs=azure-powershell

Pankaj Joshi 331 Reputation points

2024-09-10T09:22:18.61+00:00

is there any deny permission role I can add

Pankaj Joshi 331 Reputation points

2024-09-11T07:17:54.84+00:00

as confirmed by ms support with access key it is not possible
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure storage Adls blob container set read only

1 answer

Your answer