Given an accesstoken that allows me access to an Azure storage account, (so I can read/write blobs on behalf of a user), I would also like to be able to discover all the containers the user has read/write access to in the storage account.
Is there a way in C#, to get a list of these containers? I know that there is a general way to get a list of all containers (for example, https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-containers-list?tabs=dotnet ), but the user would need read access on the storage account for this, and I just want to find the containers the user has access to.
Per my understanding, you are using Azure AD Auth to protect your blob containers, and you want to get a container list that a user has read access.
Basically, if a user with roles: Storage Blob Data Contributor
, Storage Blob Data Owner
, Storage Blob Data Reader
of a container, will have read access. Details see here .
So we just need to check under a storage account scope, if this user is granted anyone of these 3 roles. We can do it via the Azure Management API, just refer to the console application code below:
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
namespace AzureRoleTest
{
class Program
{
static void Main(string[] args)
{
var subscriptionID = "<your subscription ID>";
var userObJId = "<user Object ID>";
var storageAccountName = "<storage Account name>";
var resourceGroup = "<resource group name>";
var adminAccessToken = "<access token to call Azure management API>";
List<Role> destRoles = new List<Role>();
destRoles.Add(new Role() { name = "Storage Blob Data Contributor", RoleId = "ba92f5b4-2d11-453d-a403-e96b0029c9fe" });
destRoles.Add(new Role() { name = "Storage Blob Data Owner", RoleId = "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" });
destRoles.Add(new Role() { name = "Storage Blob Data Reader", RoleId = "db58b8e5-c6ad-4a2a-8342-4190687cbf4a" });
//get all role assigment records relatged to a user under a storage account
var requestUrl = @"https://management.azure.com/subscriptions/"+ subscriptionID + "/resourceGroups/"+resourceGroup+"/providers/Microsoft.Storage/storageAccounts/" + storageAccountName + "/providers/Microsoft.Authorization/roleAssignments?$filter=principalId eq '" + userObJId + "'&api-version=2020-04-01-preview";
WebRequest request = WebRequest.Create(requestUrl);
request.Headers.Add("Authorization", "Bearer " + adminAccessToken);
WebResponse response = request.GetResponse();
using (Stream dataStream = response.GetResponseStream())
{
// Open the stream using a StreamReader for easy access.
StreamReader reader = new StreamReader(dataStream);
// Read the content.
string responseFromServer = reader.ReadToEnd();
var result = JsonConvert.DeserializeObject<RoleList>(responseFromServer);
Console.WriteLine("User has permission to access containers:");
//Filter roles that has permission to read container
foreach (var roleItem in result.value){
var destRole = destRoles.Find(x => roleItem.properties.roleDefinitionId.Contains(x.RoleId) && roleItem.properties.scope.Contains("containers"));
if (destRole != null) {
Console.WriteLine("Container Name:" + roleItem.properties.scope.Substring(roleItem.properties.scope.LastIndexOf("/") + 1) + " Role:" + destRole.name );
}
}
}
// Close the response.
response.Close();
}
public class Role {
public string name { get; set; }
public string RoleId{ get; set; }
}
public class Properties
{
public string roleDefinitionId { get; set; }
public string principalId { get; set; }
public string principalType { get; set; }
public string scope { get; set; }
public object condition { get; set; }
public object conditionVersion { get; set; }
public DateTime createdOn { get; set; }
public DateTime updatedOn { get; set; }
public string createdBy { get; set; }
public string updatedBy { get; set; }
public object delegatedManagedIdentityResourceId { get; set; }
public object description { get; set; }
}
public class RoleDetils
{
public Properties properties { get; set; }
public string id { get; set; }
public string type { get; set; }
public string name { get; set; }
}
public class RoleList
{
public List<RoleDetils> value { get; set; }
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.