Access to Azure blobs from Azure Function by using Managed Identity


How to grant access to the blob files available on the Azure Storage Account without providing a SAS token nor Access Key?

In some cases, it might be helpful, especially when access to the Azure Storage Account is available via Managed Instance.  In that case, we don't want to use any secrets provided explicitly. 

In fact, we still want to use the SAS token behind the scene, but generated on-the-fly, with a very short lifetime.  Each SAS token requires to be built based on the Access Key. We may want to use one of 2 access keys provided by the Storage Accounts, but it's not a good option as we don't want to deal with them.  Azure lets us generate a temporary access key, based on our credentials, and then use it to generate a SAS token.


In that case, we need to:
  1. Create a Storage Account
  2. Create Azure Function App 
  3. Assign the Storage Blob Delegator (or Storage Blob Data Owner) role to the Manage Identity of the Function App. The action needs to be performed against the Storage Account (Access Control (IAM))

The function sample may look like below. Once deployed, you will be able to get the payload of the sample.txt, without providing any extra tokes (SAS/Access key).

https://{function app name}.azurewebsites.net/api/{function name}?code={function code}

Useful links:

import logging
import azure.functions as func
from datetime
import datetime, timedelta
from azure.identity import DefaultAzureCredential
from azure.storage.blob  import (
    BlobClient,
    BlobSasPermissions,
    BlobServiceClient,
    generate_blob_sas
)

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')


    storage_acct_name = 'whaisa'
    container_name = 'mycontainer'
    blob_name  = 'sample.txt'

    account_url = f'https://{storage_acct_name}.blob.core.windows.net'
       
    credential = DefaultAzureCredential()
   
    client = BlobServiceClient(account_url, credential=credential)

    key_start_time = datetime.utcnow() - timedelta(hours=1)
    key_expiry_time = datetime.utcnow() + timedelta(hours=1)
    udk = client.get_user_delegation_key(key_start_time, key_expiry_time)

    sas_token = generate_blob_sas(account_name=storage_acct_name,
                                    container_name=container_name,
                                    blob_name=blob_name,
                                    account_key= udk,
                                    permission=BlobSasPermissions(read=True),
                                    expiry=key_expiry_time)

    sas_url = (
        f'{account_url}/{container_name}/{blob_name}?{sas_token}'
    )

    blob_client = BlobClient.from_blob_url(sas_url)
    blob_data = blob_client.download_blob(encoding='UTF-8')
    data = blob_data.readall()
   
    return func.HttpResponse(
            data,
            status_code=200
    )


Comments

Post a Comment

Popular posts from this blog

Podman using Ubuntu WSL2

Image
The Docker Desktop for Windows is no longer free for commercial usage, or at least in many cases. If your local development environment is Windows, and you're looking for an alternative, this article is for you. "Docker Desktop remains free for small businesses (fewer than 250 employees AND less than $10 million in annual revenue), personal use, education, and non-commercial open-source projects.". Unfortunately, containerization is a foundation of most enterprise-level projects these days, which size causes the licence issue.  The commercial doesn't cost an arm and leg, even though it builds unnecessary concern and limitations. Even if you use the WSL2 Linux image, you need to use the docker engine, which is a part of the Docker Desktop for Windows. Podman as Docker And here is the beautiful moment when Podman comes into the play. It's a root-less and demon-less solution, fully compatible with docker. If you have been ever concerned about the demon working in the...
Read more

Automatization of test cases in SCRUM

Image
Test case automation may bring many benefits for the application/system QA process, but it's not always obvious how to introduce an implementation of the test cases into SCRUM flow.  The SCRUM methodology defines the number of PBIs (product increments) for prioritization and planning, as a part of the SCRUM process. Those could be user stories or enablers , sometimes bugs . Each of the PBIs needs to be estimated and confirmed by a scrum team before it's added into a sprint scope (sprint backlog). The question would be: How to plan the effort for the implementation of automation tests, as those are not the PBIs per se? Test Case is not a PBI In the strategy proven in one of my projects, a test case is an output (product) of the delivery, just like an ordinary artifact. Typically, it's a part of a testing suite. It needs to be created, maintained, and placed into a repository (see: Azure DevOps ). Once prepared, we can start working on the automation of the test case. Bo...
Read more

Azure Synapse - first contact

Image
Despite the fact I've spent the last two years working with Microsoft Azure cloud tech stack, I didn't have a chance working with Azure Synapse yet. Finally I've met this guy. The first impression is very good. Azure Synapse Workspace To create the first Azure Synapse you need to create an  Azure Synapse Workspace . If you are already familiar with Azure you may already know Azure Log Analitycs Workspace to examine logs and operation of your applications and resources. Here is the same. Workspace is created within the Azure resource group, building a landing page for its settings, analytic pools, security, and monitoring aspects. Azure Synapse Workspace will require a storage account to be created/selected under-the-hood. A storage account will be used to build Azure Data Lake Storage Gen2 for the files you will manage by yourself (sample data for processing) or by the Azure Synapse itself (ex. PySpark trained models will be saved here as well).  The better place to deal...
Read more