stackoom
  简体   繁体   中英

Authorize access to Azure using Service Principal

 原文  2018-06-02 02:31:41       azure/ oauth-2.0/ azure-active-directory/ azure-storage-blobs/ oidc

Question

I am trying to understand few points about delegating authorization to Azure BLOB using Azure service principles .

How I configure Azure:

  • Create and Configure Service Principal: in Active Directory I created an application, created a key (password), and set its required permissions to access Azure Storage;

  • Configure IAM of Azure Storage: under Storage accounts section, I chose my storage account, and under IAM I assigned my account (my login account as XYZ@hotmail.com) to Storage BLOB Data Contributor role.

How I use the configuration in my client App:

  1. With the aforementioned configuration; my application takes tenant ID, client ID, client secret, and etc. and sends authorization request to /authorize endpoint.
  2. Then a window pops-up and asks me to login (using eg, XYZ@hotmail.com), and then a consent screen pops-up and asks for my permission to allow the service principal to read my Azure storage.
  3. After I approve, my client application receives OAuth2.0 code .
  4. Then I exchange this code with an access_key via the /token endpoint.

Q1: does this access_key grant my client application same privileges as XYZ@hotmail.com or service principal?

Using the obtained access key I can read/write azure blob.

Q2: if XYZ@hotmail.com does not have read/write access (ie, not assigned with the Storage BLOB Data Contributor role), my client app would not be able to read/write for the blob, regardless of the Service Principal's role . This is where I get confused, I am under the impression that my client App is assuming Service Principal, hence it will have same privileges as the Service Principal, not XYZ@hotmail.com. For instance, XYZ@hotmail.com can have Contributor role (ie, read/write), while the service principle would be assigned with a Reader role. In that case, I would have a full access to BLOB storage, while my client app will have only a read access to the BLOB storage. However, it seems client app gets same permissions as XYZ@hotmail.com. What am I missing here?

1 answers

solution1
 1 ACCPTED  2018-06-04 01:56:42

Q1: does this access_key grant my client application same privileges as XYZ@hotmail.com or service principal?

The access_token you got has the delegated permissions which onbehalf of XYZ@hotmail.com . This is because that you used Authorization code grant flow .

What am I missing here?

For your scenario, I suggest you can use client_credentials flow for your app.

With client_credentials flow, you will get access token only with the application permissions configured in AAD. Also, this access token is actually onbehalf of your AAD application itself. If you assign a role to your service principal, you will get the access token with the permission of that role.

If you use Authorization code grant flow, you will get the access token onbehalf of the user, not the service principal. So, the access token will have the permission of that user.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using service principal to access Azure blob storage Azure UI access with puppeteer: login with service principal Azure Service Principal creation - using Azure function How to fetch token for azure storage account access via azure active directory using service principal or oauth2? Request list of user's Azure subscriptions (where user has access) using service principal and azure api Hyperledger Cello Ansible Azure using Service Principal Azure - MFA details of the users using service principal How to connect to Azure Databricks using Service Principal? Connect Azure SQL Server using Service Principal Terraform fails using an Azure service principal for authentication
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM