This article briefs
with steps on how to access Azure Storage Blob from Logic App using Managed
Identity.
Prerequisites.
- Logic App with Same/different regions as Azure Blob Storage.
- Azure Storage Blob with public access set to "Private (no anonymous access)" .
- This property can even be modified even after the creation of Blob.
Please
refer this link for more information on
Blob : https://docs.microsoft.com/en-us/azure/storage/blobs/
Before
we create Logic Apps let me brief about Managed Identity.
The
managed identities for Azure resources feature in Azure Active Directory (Azure
AD) . The feature provides Azure services with
an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports
Azure AD authentication, including Key Vault, without any credentials in your code.
an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports
Azure AD authentication, including Key Vault, without any credentials in your code.
There are two types of managed
identities:
- A system-assigned managed identity is enabled directly on an Azure service instance.
When the identity is enabled,
Azure creates an identity for the instance in the Azure
AD tenant that's trusted by the
subscription of the instance.
After the identity is created,
the credentials are provisioned onto the instance.
The life cycle of a
system-assigned identity is directly tied to the Azure service
instance that it's enabled on. If the instance
is deleted, Azure automatically cleans up the credentials and the identity
in Azure AD.
in Azure AD.
In our case the instance is Logic
App.
- A user-assigned managed identity is created as a standalone Azure resource.
Through a create process, Azure
creates an identity in the Azure AD tenant that's trusted
by the subscription in use. After
the identity is created,
the identity can be assigned to
one or more Azure service instances.
The life cycle of a user-assigned
identity is managed separately from the life cycle of the Azure service
instances to
which it's assigned.
which it's assigned.
Enable
system-assigned identity in Azure portal
- In the Azure portal, open your logic app in Logic App Designer.
- On the logic app menu, under Settings, select Identity.
- Select System assigned > On > Save. When Azure prompts you to confirm, select Yes.
4. Assign access to Managed Identity to Blob using Azure Portal
a. Select Access control (IAM) > Role
assignments where you can review the current role
assignments for that resource. On the toolbar, select Add > Add role assignment.
assignments for that resource. On the toolbar, select Add > Add role assignment.
b. Select Role as "Storage Blob Data
Contributor", Assign access to as
"Azure AD user
, group or service principal" and Select the
Logic App you have enabled system
assigned
Managed Identity.
Managed Identity.
Now
you will be able to see the Logic App having Storage Blob Data Contributor
under Role assignments blade.
Now
let's design the Logic App to get the content of the blob.
- Create Logic App Resource either in the same region as the Blob Storage or the different region.
- Choose the Recurrence template (or) you can even choose recurrence trigger.
Followed by add the Http action. Http action supports System Assigned Managed Identity.
However, the for Blob connector may support Managed Identity feature in future.
Currently, this feature is not delivered yet we may see it in future. We can use Http action as of now.
In the Http action, choose
Get
method
URI
with blob uri(can be found in properties of blob). This can be even passed
dynamically.
Headers
:
x-ms-blob-type
: BlockBlob (The kind of the blob we are accessing)
x-ms-version
: 2019-02-02 (The latest supported api version)
Authentication
: Managed Identity
Managed
Identity : System Assigned Managed Identity
Audience
: https://storage.azure.com
Please
give a run and test it.
You
can even dynamically pass the blob file name as well as the container name and
bind it in the Http URL.
This
is all about accessing the Azure Blob behind firewall using Logic App by system
assigned Identity.
Note:
We can access the Blob behind firewall irrespective of the regions (whether if
the same or different).
Thanks
for going through this article. Hope you enjoyed it!
perde modelleri
ReplyDeletesms onay
mobil ödeme bozdurma
Nft Nasıl Alinir
Ankara evden eve nakliyat
Trafik sigortasi
dedektör
web sitesi kurma
aşk kitapları
pendik mitsubishi klima servisi
ReplyDeleteüsküdar daikin klima servisi
ataşehir beko klima servisi
maltepe lg klima servisi
ümraniye arçelik klima servisi
beykoz samsung klima servisi
çekmeköy vestel klima servisi
kartal alarko carrier klima servisi
tuzla toshiba klima servisi