storage account Archives

Posted on March 25, 2024March 25, 2024 by geralexgr — Leave a comment

Connect to Azure resources with Managed Identity – Storage account example

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

There are two types of managed identities:

System Assigned
User assigned

You can learn more about how managed identity works from the below guide.

https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

On a previous article I have documented how managed identity can be used inside an azure web app.

Connect to Azure resources with Managed Identity – Azure Web app container example

In this demonstration we will examine how we can use managed identity to authenticate with a storage account from a .NET application. This is very useful when dealing with security as we eliminate access to specific resources and we do not have to manage passwords in the code.

In order to implement Managed Identity it should be supported for the specific resource. This example is an ASP .NET web app that is deployed on a app service and uses managed Identity to communicate with a storage account and get blob data or information.

Firstly the managed identity object should be enabled on the web app. This means that you enable the web app to request when needed managed identity authentication from Azure AD.

Then you will need to enable the specific role that is required on the identity resource. As you can see from the image, I assigned the Storage Blob Data Reader, as I only need to perform read actions (least privilege) on the dotnet-testmi identity which is identified by azure with the App Service Label. When you enable the managed identity on a resource it will connect with an object ID which is then the identified on the whole azure portal. You can search later on with this ID or the name of the resource from the IAM of the destination resource. This means that you have to assign the permissions on the Blob Container of the Storage account that you need to access through code.

Finally you you will need to use Managed Identity Authentication in your code.

In this example two libraries are needed in order to interact with the storage account using managed identity. First the Azure.identity which includes Managed Identity Authentication and also Azure.Storage library.

https://www.nuget.org/packages/Azure.Identity 
https://www.nuget.org/packages/Azure.Storage.Blobs

Authenticate using Managed Identity instead of a connection string

BlobContainerClient client = new BlobContainerClient(new Uri($"https://NAME.blob.core.windows.net/testing"), new ManagedIdentityCredential());

Authentication using connection string

BlobContainerClient client = new BlobContainerClient("connectionString","testing");

When creating a blank ASP .NET application you will have a WeatherController built by default to start experimenting. The code for this example is added there for the case of simplicity and you can find it below.

using Azure.Storage.Blobs.Models;
using Azure.Storage.Blobs;
using Azure;
using Microsoft.AspNetCore.Mvc;
using Azure.Identity;

namespace WebApplication1.Controllers
{
    [ApiController]
    [Route("[controller]")]
    public class WeatherForecastController : ControllerBase
    {

        private readonly ILogger<WeatherForecastController> _logger;

        private static List<string> _blobList;
        public WeatherForecastController(ILogger<WeatherForecastController> logger)
        {
            _logger = logger;
        }

        [HttpGet(Name = "GetWeatherForecast")]
        public IEnumerable<string> Get()
        {
         BlobContainerClient client = new BlobContainerClient(new Uri($"https://NAME.blob.core.windows.net/testing"), new ManagedIdentityCredential());

            ListBlobsFlatListing(client, 1).GetAwaiter().GetResult();
            return _blobList.ToArray();
        }


        private static async Task ListBlobsFlatListing(BlobContainerClient blobContainerClient,
                                               int? segmentSize)
        {
            try
            {
                _blobList = new List<string>();
                // Call the listing operation and return pages of the specified size.
                var resultSegment = blobContainerClient.GetBlobsAsync()
                    .AsPages(default, segmentSize);

                // Enumerate the blobs returned for each page.
                await foreach (Page<BlobItem> blobPage in resultSegment)
                {
                    foreach (BlobItem blobItem in blobPage.Values)
                    {
                        Console.WriteLine("Blob name: {0}", blobItem.Name);
                        _blobList.Add(blobItem.Name);
                    }

                    Console.WriteLine();
                }
            }
            catch (RequestFailedException e)
            {
                Console.WriteLine(e.Message);
                Console.ReadLine();
                throw;
            }
        }


    }
}

Posted on May 25, 2023May 25, 2023 by geralexgr — Leave a comment

ListBlob data from Storage account with Managed Identity – SDK for NET

There are many way to interact with a storage account in Azure. The first and easiest way would be to use a connection string which acts as credentials. However this approach does not follow best practices as you will need to hard code credentials or pass them as a parameter in your application. Based on the well architected framework the most reliable and secure way to communicate between resources in Azure would be the managed Identity and you can read more about how it works in the below URL.

Managed identities for Azure resources – Microsoft Entra | Microsoft Learn

The code provided in this article can be used to authenticate with Managed Identity in a storage account. Given that you have already provided the necessary RBAC between your services, you can use the below example code to list blobs in a storage account.

private static async Task ListBlobsFlatListing(BlobContainerClient blobContainerClient, 
                                               int? segmentSize)
{
    try
    {
        // Call the listing operation and return pages of the specified size.
        var resultSegment = blobContainerClient.GetBlobsAsync()
            .AsPages(default, segmentSize);

        // Enumerate the blobs returned for each page.
        await foreach (Page<BlobItem> blobPage in resultSegment)
        {
            foreach (BlobItem blobItem in blobPage.Values)
            {
                Console.WriteLine("Blob name: {0}", blobItem.Name);
            }

            Console.WriteLine();
        }
    }
    catch (RequestFailedException e)
    {
        Console.WriteLine(e.Message);
        Console.ReadLine();
        throw;
    }
}

https://learn.microsoft.com/en-us/azure/storage/blobs /storage-blobs-list

In order to authenticate with MI you will need to create a new BlobContainerClient with your storage-account-name and pass in the parameters the ManagedIdentity as the credentials method. Then you will be able to use your ListBlob function that is provided from Microsoft using the client previously created.

         BlobContainerClient client = new BlobContainerClient(new Uri($"https://storage-account-name.blob.core.windows.net/testing"), new ManagedIdentityCredential());

ListBlobsFlatListing(client, 1).GetAwaiter().GetResult();

After these steps you will be able to fetch data using Managed identity instead of classic authentication.

Posted on February 21, 2023February 21, 2023 by geralexgr — Leave a comment

Get blob files from azure storage account using python

You can use python SDK in order to retrieve blob files from a storage account on azure. First you will need to get your connection string for the storage account from the access keys section.

Then you can execute the below python code.

	import os, uuid
	from azure.identity import DefaultAzureCredential
	from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient

	connection_string = "CONNECTION_STRING"
	service = BlobServiceClient.from_connection_string(connection_string)

	try:
	account_info = service.get_account_information()
	print('Using Storage SKU: {}'.format(account_info['sku_name']))
	container_client = service.get_container_client("files")
	try:
	for blob in container_client.list_blobs():
	print("Found blob: ", blob.name)
	except ResourceNotFoundError:
	print("Container not found.")

	except Exception as ex:
	print('Exception:')
	print(ex)

view raw azure-storage-get-blobs-python hosted with ❤ by GitHub

As seen from the screenshots, I have a container named files

And inside the container I have a test.txt file.

By running the python script (in my case I added on a container) you will get the files inside the blob container.

Quickstart: Azure Blob Storage client library for Python – Azure Storage | Microsoft Learn

Posted on July 14, 2022July 16, 2022 by geralexgr — Leave a comment

Download and upload files on Blob storage using Azure DevOps

For some data processing scenarios I had to create an automation that would download some files from a storage account, perform actions on them (python, custom tools) and lastly upload the processed files again in the storage account.

A high level diagram is visible below:

In order to automate this scenario I used a custom devops agent on azure devops and assigned a managed identity on this agent (virtual machine) on the storage account in order to interact with it without using credentials.

Then I only used powershell and az cli to download and upload the files on the storage account.

The three pipeline tasks that are required to perform the upload, processing, download actions can be found below.

The json object is used to download a specific file based on the requirements for example the first entry on chronological order. This is why the sort-object -descending is used.

trigger:
- none

pool: mypool

steps:

- task: PowerShell@2
  displayName: download file from blob storage
  inputs:
    targetType: 'inline'
    script: |
      az login --identity
      $json = az storage blob list --container-name blobcontainer --account-name storageaccountname --prefix "folder1/subcategory" 
--auth-mode login | ConvertFrom-Json | Sort-Object -Descending { $_.properties.lastModified }
      $filename = "custom_name"
      az storage blob download --file  "C:\devopsdir\$filename" 
--name $json[0].name --container-name blobcontainer  
--account-name storageaccountname --auth-mode login
      Write-Host "##vso[task.setvariable variable=downloadfilename]$filename"
    pwsh: true


- task: PowerShell@2
  displayName: run python commands
  inputs:
    targetType: 'inline'
    script: |
      python $(Build.SourcesDirectory)/python/something.py	

- task: PowerShell@2
  displayName: upload file to storage account
  inputs:
    targetType: 'inline'
    script: |
      $name = "$(downloadfilename)" + "_" + (get-date -format "yyyyMMdd") 
      az storage blob upload --file "C:\devopsdir\$name" --name "folder1/subcategory/$name" --container-name blobcontainer  --account-name storageaccountname --auth-mode login

The result will be then uploaded on the storage account.