Thursday, 4 June 2020

Access Azure Blob using Managed Identity



This article briefs with steps on how to access Azure Storage Blob from Logic App using Managed Identity.

Prerequisites.

  1. Logic App with Same/different regions as Azure Blob Storage.
  2. Azure Storage Blob with  public access set to "Private (no anonymous access)" .
  3. This property can even be modified even after the creation of Blob.

Please refer this link for more information on Blob : https://docs.microsoft.com/en-us/azure/storage/blobs/

                

Before we create Logic Apps let me brief about Managed Identity.
The managed identities for Azure resources feature in Azure Active Directory (Azure AD) . The feature provides Azure services with
an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports
Azure AD authentication, including Key Vault, without any credentials in your code.


There are two types of managed identities:
  • system-assigned managed identity is enabled directly on an Azure service instance.
            When the identity is enabled, Azure creates an identity for the instance in the Azure
            AD tenant that's trusted by the subscription of the instance.
            After the identity is created, the credentials are provisioned onto the instance.
            The life cycle of a system-assigned identity is directly tied to the Azure service
            instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity 
            in Azure AD.

            In our case the instance is Logic App.

  • user-assigned managed identity is created as a standalone Azure resource.
            Through a create process, Azure creates an identity in the Azure AD tenant that's trusted
            by the subscription in use. After the identity is created,
            the identity can be assigned to one or more Azure service instances.

            The life cycle of a user-assigned identity is managed separately from the life cycle of the Azure service instances to 
            which it's assigned.
Enable system-assigned identity in Azure portal

  1. In the Azure portal, open your logic app in Logic App Designer.
  2. On the logic app menu, under Settings, select Identity
  3. Select System assigned > On > SaveWhen Azure prompts you to confirm, select Yes.


                                    
                                       4. Assign access to Managed Identity to Blob using Azure Portal
                                           a. Select Access control (IAM) > Role assignments where you can review the current role
                                               assignments for that resource. On the toolbar, select Add > Add role assignment.

                                           b. Select Role as "Storage Blob Data Contributor", Assign access to as  "Azure AD user
                                               , group or service principal" and Select the Logic App you have enabled  system assigned
                                              Managed Identity.


                      

                      

Now you will be able to see the Logic App having Storage Blob Data Contributor under Role assignments blade.

                   


Now let's design the Logic App to get the content of the blob.


  1. Create Logic App Resource either in the same region as the Blob Storage or the different region.
  2. Choose the Recurrence template (or) you can even choose recurrence trigger.

          
                        Followed by add the Http action. Http action supports System Assigned Managed Identity. 
                        However, the for Blob connector may support Managed Identity feature in future. 
                        Currently, this feature is not delivered yet we may see it in future. We can use Http action as of now.
                        In the Http action, choose
                                        Get method
                                        URI with blob uri(can be found in properties of blob). This can be even passed dynamically.
                                        Headers :
                                                        x-ms-blob-type : BlockBlob (The kind of the blob we are accessing)
                                                        x-ms-version : 2019-02-02 (The latest supported api version)
                                                        Authentication : Managed Identity
                                                        Managed Identity : System Assigned Managed Identity
                                                        Audience : https://storage.azure.com

           


Please give a run and test it.

           

You can even dynamically pass the blob file name as well as the container name and bind it in the Http URL.

This is all about accessing the Azure Blob behind firewall using Logic App by system assigned Identity.
Note: We can access the Blob behind firewall irrespective of the regions (whether if the same or different).


Thanks for going through this article. Hope you enjoyed it!


2 comments: