Differences between Shared Key and Azure AD Storage Account access

Matthew Kracht 21 Reputation points
2020-08-27T19:57:21.863+00:00

I'm referencing this docs page: https://video2.skills-academy.com/en-us/rest/api/storageservices/authorize-requests-to-azure-storage. Based on this link both Shared Key and Azure AD auth are "Supported" but will there be any special cases where one may have more access than the other? I'm assuming two access scenarios:

Scenario 1:
A Security Principal that has been granted Storage Account Contributor role for Storage Account "foo" uses Shared Key auth to read storage blobs in "foo".

Scenario 2:
A Security Principal that has been granted Storage Blob Data Reader role for Storage Account "foo" uses Azure AD auth to read storage blobs in "foo".

I would expect both auth types to not be able to access a storage account that has a network ACL defined that blocks access from the IP address the service principal is making the request from.

I would also expect any Storage Account w/ an IAM Deny Assignment that blocks access for all Service Principals to block access regardless of auth type (e.x. Storage Accounts created for Azure Databricks).

Are those two statements true? Am I missing any scenarios where the auth types do not have equivalent access?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,871 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,575 questions
0 comments
Accepted answer
  1. deherman-MSFT 34,931 Reputation points Microsoft Employee
    2020-08-27T22:38:18.743+00:00

    @Matthew Kracht
    Since both are using RBAC for permissions they would function the same in these scenarios. You might find the documentation here helpful. That being said, authorizing requests against Azure Storage with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Azure AD authorization with your blob and queue applications when possible to minimize potential security vulnerabilities inherent in Shared Key. More information about using Azure AD can be found on this page.

    Hope this helps! Let us know if you have further questions or issues.

    --------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest