Microsoft Azure Blob Storage Permissions

Configuring Azure Blob Storage permissions establishes secure access between Publisher and your Azure storage resources. These permissions define how Publisher can interact with your storage accounts using service principals and role assignments, ensuring controlled access to your data.

This guide covers the core concepts and minimal configuration needed to connect Publisher to Azure Blob Storage, including credential creation and access management.

Concepts

1. Service Principal (SP): This is an identity created for use with applications, hosted services, and automated tools to access Azure resources. Each SP has a unique ID and can be assigned roles to grant permissions.

2. Storage Account: This container houses a set of Azure Storage services, including Blob Storage. It provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS.

3. Permission: These are granular actions that a user or service principal can perform on a given resource. Examples include read, write, delete, and list operations on blobs.

4. Role: A collection of permissions typically needed for specific interactions against one or more resources. Examples include "Storage Blob Data Reader", "Storage Blob Data Contributor", and "Storage Blob Data Owner".

5. Resource Group: A container that holds related resources for an Azure solution. The resource group can include all the resources for the solution or only those you want to manage as a group.

6. Subscription: An Azure subscription is a logical container used for provisioning resources in Azure. It holds the details of all your resources, such as virtual machines (VMs), databases, and more.

Minimal Configuration

Getting Credentials to Storage Account

Create a new Service Principal in any Resource Group

az storage account keys list \
  --resource-group ${RESOURCE_GROUP} \
  --account-name ${STORAGE_ACCOUNT} \
  --query "[].{Key:keyName, Value:value}" \ 
  --output table