List containers a user has access to in Azure storage

Question

Given an accesstoken that allows me access to an Azure storage account, (so I can read/write blobs on behalf of a user), I would also like to be able to discover all the containers the user has read/write access to in the storage account.

Is there a way in C#, to get a list of these containers? I know that there is a general way to get a list of all containers (for example, https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-containers-list?tabs=dotnet ), but the user would need read access on the storage account for this, and I just want to find the containers the user has access to.

Answer 1

Per my understanding, you are using Azure AD Auth to protect your blob containers, and you want to get a container list that a user has read access.

Basically, if a user with roles: Storage Blob Data Contributor , Storage Blob Data Owner , Storage Blob Data Reader of a container, will have read access. Details see here .

So we just need to check under a storage account scope, if this user is granted anyone of these 3 roles. We can do it via the Azure Management API, just refer to the console application code below:

using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;

namespace AzureRoleTest
{
    class Program
    {
        static void Main(string[] args)
        {
            var subscriptionID = "<your subscription ID>";
            var userObJId = "<user Object ID>";
            var storageAccountName = "<storage Account name>";
            var resourceGroup = "<resource group name>";

            var adminAccessToken = "<access token to call Azure management API>";

            List<Role> destRoles = new List<Role>();
            destRoles.Add(new Role() { name = "Storage Blob Data Contributor", RoleId = "ba92f5b4-2d11-453d-a403-e96b0029c9fe" });
            destRoles.Add(new Role() { name = "Storage Blob Data Owner", RoleId = "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" });
            destRoles.Add(new Role() { name = "Storage Blob Data Reader", RoleId = "db58b8e5-c6ad-4a2a-8342-4190687cbf4a" });


            //get all role assigment records relatged to a user under a storage account 
            var requestUrl = @"https://management.azure.com/subscriptions/"+ subscriptionID + "/resourceGroups/"+resourceGroup+"/providers/Microsoft.Storage/storageAccounts/" + storageAccountName + "/providers/Microsoft.Authorization/roleAssignments?$filter=principalId eq '" + userObJId + "'&api-version=2020-04-01-preview";
            WebRequest request = WebRequest.Create(requestUrl);
            request.Headers.Add("Authorization", "Bearer " + adminAccessToken);
            WebResponse response = request.GetResponse();
            using (Stream dataStream = response.GetResponseStream())
            {
                // Open the stream using a StreamReader for easy access.
                StreamReader reader = new StreamReader(dataStream);
                // Read the content.
                string responseFromServer = reader.ReadToEnd();

                var result = JsonConvert.DeserializeObject<RoleList>(responseFromServer);

                Console.WriteLine("User has permission to access containers:");
                //Filter roles that has permission to read container 
                foreach (var roleItem in result.value){
                    var destRole = destRoles.Find(x => roleItem.properties.roleDefinitionId.Contains(x.RoleId) && roleItem.properties.scope.Contains("containers"));
                    if (destRole != null) {

                        Console.WriteLine("Container Name:" + roleItem.properties.scope.Substring(roleItem.properties.scope.LastIndexOf("/") + 1) + " Role:" + destRole.name );
                    } 
                }
                


            }

            // Close the response.
            response.Close();


        }




        public class Role { 
            public string name { get; set; }
            public string RoleId{ get; set; }
        }

        public class Properties
        {
            public string roleDefinitionId { get; set; }
            public string principalId { get; set; }
            public string principalType { get; set; }
            public string scope { get; set; }
            public object condition { get; set; }
            public object conditionVersion { get; set; }
            public DateTime createdOn { get; set; }
            public DateTime updatedOn { get; set; }
            public string createdBy { get; set; }
            public string updatedBy { get; set; }
            public object delegatedManagedIdentityResourceId { get; set; }
            public object description { get; set; }
        }

        public class RoleDetils
        {
            public Properties properties { get; set; }
            public string id { get; set; }
            public string type { get; set; }
            public string name { get; set; }
        }

        public class RoleList
        {
            public List<RoleDetils> value { get; set; }
        }
    }
}

Result: