Skip to navigation Skip to content
GeralexGR

Personal blog

  • Home
  • About
  • Contact
  • Home
  • About
  • Contact
  • Test

Tag: storage account

Posted on March 25, 2024March 25, 2024 by geralexgr — Leave a comment

Connect to Azure resources with Managed Identity – Storage account example

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

There are two types of managed identities:

  • System Assigned
  • User assigned

You can learn more about how managed identity works from the below guide.

https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

On a previous article I have documented how managed identity can be used inside an azure web app.

Connect to Azure resources with Managed Identity – Azure Web app container example

In this demonstration we will examine how we can use managed identity to authenticate with a storage account from a .NET application. This is very useful when dealing with security as we eliminate access to specific resources and we do not have to manage passwords in the code.

In order to implement Managed Identity it should be supported for the specific resource. This example is an ASP .NET web app that is deployed on a app service and uses managed Identity to communicate with a storage account and get blob data or information.

Firstly the managed identity object should be enabled on the web app. This means that you enable the web app to request when needed managed identity authentication from Azure AD.

Then you will need to enable the specific role that is required on the identity resource. As you can see from the image, I assigned the Storage Blob Data Reader, as I only need to perform read actions (least privilege) on the dotnet-testmi identity which is identified by azure with the App Service Label. When you enable the managed identity on a resource it will connect with an object ID which is then the identified on the whole azure portal. You can search later on with this ID or the name of the resource from the IAM of the destination resource. This means that you have to assign the permissions on the Blob Container of the Storage account that you need to access through code.

Finally you you will need to use Managed Identity Authentication in your code.

In this example two libraries are needed in order to interact with the storage account using managed identity. First the Azure.identity which includes Managed Identity Authentication and also Azure.Storage library.

https://www.nuget.org/packages/Azure.Identity

https://www.nuget.org/packages/Azure.Storage.Blobs

Authenticate using Managed Identity instead of a connection string

BlobContainerClient client = new BlobContainerClient(new Uri($"https://NAME.blob.core.windows.net/testing"), new ManagedIdentityCredential());

Authentication using connection string

BlobContainerClient client = new BlobContainerClient("connectionString","testing");

When creating a blank ASP .NET application you will have a WeatherController built by default to start experimenting. The code for this example is added there for the case of simplicity and you can find it below.

using Azure.Storage.Blobs.Models;
using Azure.Storage.Blobs;
using Azure;
using Microsoft.AspNetCore.Mvc;
using Azure.Identity;

namespace WebApplication1.Controllers
{
    [ApiController]
    [Route("[controller]")]
    public class WeatherForecastController : ControllerBase
    {

        private readonly ILogger<WeatherForecastController> _logger;

        private static List<string> _blobList;
        public WeatherForecastController(ILogger<WeatherForecastController> logger)
        {
            _logger = logger;
        }

        [HttpGet(Name = "GetWeatherForecast")]
        public IEnumerable<string> Get()
        {
         BlobContainerClient client = new BlobContainerClient(new Uri($"https://NAME.blob.core.windows.net/testing"), new ManagedIdentityCredential());

            ListBlobsFlatListing(client, 1).GetAwaiter().GetResult();
            return _blobList.ToArray();
        }


        private static async Task ListBlobsFlatListing(BlobContainerClient blobContainerClient,
                                               int? segmentSize)
        {
            try
            {
                _blobList = new List<string>();
                // Call the listing operation and return pages of the specified size.
                var resultSegment = blobContainerClient.GetBlobsAsync()
                    .AsPages(default, segmentSize);

                // Enumerate the blobs returned for each page.
                await foreach (Page<BlobItem> blobPage in resultSegment)
                {
                    foreach (BlobItem blobItem in blobPage.Values)
                    {
                        Console.WriteLine("Blob name: {0}", blobItem.Name);
                        _blobList.Add(blobItem.Name);
                    }

                    Console.WriteLine();
                }
            }
            catch (RequestFailedException e)
            {
                Console.WriteLine(e.Message);
                Console.ReadLine();
                throw;
            }
        }


    }
}
Categories: Azure, C# & .NET, Devops, Security
Tags: Azure, blob container, c#, dotnet, IAM, managed identity, RBAC, security, storage account
Posted on May 25, 2023May 25, 2023 by geralexgr — Leave a comment

ListBlob data from Storage account with Managed Identity – SDK for NET

There are many way to interact with a storage account in Azure. The first and easiest way would be to use a connection string which acts as credentials. However this approach does not follow best practices as you will need to hard code credentials or pass them as a parameter in your application. Based on the well architected framework the most reliable and secure way to communicate between resources in Azure would be the managed Identity and you can read more about how it works in the below URL.

Managed identities for Azure resources – Microsoft Entra | Microsoft Learn

The code provided in this article can be used to authenticate with Managed Identity in a storage account. Given that you have already provided the necessary RBAC between your services, you can use the below example code to list blobs in a storage account.

private static async Task ListBlobsFlatListing(BlobContainerClient blobContainerClient, 
                                               int? segmentSize)
{
    try
    {
        // Call the listing operation and return pages of the specified size.
        var resultSegment = blobContainerClient.GetBlobsAsync()
            .AsPages(default, segmentSize);

        // Enumerate the blobs returned for each page.
        await foreach (Page<BlobItem> blobPage in resultSegment)
        {
            foreach (BlobItem blobItem in blobPage.Values)
            {
                Console.WriteLine("Blob name: {0}", blobItem.Name);
            }

            Console.WriteLine();
        }
    }
    catch (RequestFailedException e)
    {
        Console.WriteLine(e.Message);
        Console.ReadLine();
        throw;
    }
}

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-list

In order to authenticate with MI you will need to create a new BlobContainerClient with your storage-account-name and pass in the parameters the ManagedIdentity as the credentials method. Then you will be able to use your ListBlob function that is provided from Microsoft using the client previously created.

         BlobContainerClient client = new BlobContainerClient(new Uri($"https://storage-account-name.blob.core.windows.net/testing"), new ManagedIdentityCredential());

ListBlobsFlatListing(client, 1).GetAwaiter().GetResult();

After these steps you will be able to fetch data using Managed identity instead of classic authentication.

Categories: Azure, C# & .NET
Tags: .net managed identity, Azure, azure.identity, c# managed identity, getblob, listblob, managed identity, storage account, storage account managed identity .net
Posted on February 21, 2023February 21, 2023 by geralexgr — Leave a comment

Get blob files from azure storage account using python

You can use python SDK in order to retrieve blob files from a storage account on azure. First you will need to get your connection string for the storage account from the access keys section.

Then you can execute the below python code.

import os, uuid
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient
connection_string = "CONNECTION_STRING"
service = BlobServiceClient.from_connection_string(connection_string)
try:
account_info = service.get_account_information()
print('Using Storage SKU: {}'.format(account_info['sku_name']))
container_client = service.get_container_client("files")
try:
for blob in container_client.list_blobs():
print("Found blob: ", blob.name)
except ResourceNotFoundError:
print("Container not found.")
except Exception as ex:
print('Exception:')
print(ex)
view raw azure-storage-get-blobs-python hosted with ❤ by GitHub

As seen from the screenshots, I have a container named files

And inside the container I have a test.txt file.

By running the python script (in my case I added on a container) you will get the files inside the blob container.

Quickstart: Azure Blob Storage client library for Python – Azure Storage | Microsoft Learn

Categories: Azure, Devops, Scripts
Tags: Azure, azure-identity, azure-storage-blob, blob, blob retrieve python, python, python azure blob, python sdk, storage, storage account
Posted on July 14, 2022July 16, 2022 by geralexgr — Leave a comment

Download and upload files on Blob storage using Azure DevOps

For some data processing scenarios I had to create an automation that would download some files from a storage account, perform actions on them (python, custom tools) and lastly upload the processed files again in the storage account.

A high level diagram is visible below:

In order to automate this scenario I used a custom devops agent on azure devops and assigned a managed identity on this agent (virtual machine) on the storage account in order to interact with it without using credentials.

Then I only used powershell and az cli to download and upload the files on the storage account.

The three pipeline tasks that are required to perform the upload, processing, download actions can be found below.

The json object is used to download a specific file based on the requirements for example the first entry on chronological order. This is why the sort-object -descending is used.

trigger:
- none

pool: mypool

steps:

- task: PowerShell@2
  displayName: download file from blob storage
  inputs:
    targetType: 'inline'
    script: |
      az login --identity
      $json = az storage blob list --container-name blobcontainer --account-name storageaccountname --prefix "folder1/subcategory" 
--auth-mode login | ConvertFrom-Json | Sort-Object -Descending { $_.properties.lastModified }
      $filename = "custom_name"
      az storage blob download --file  "C:\devopsdir\$filename" 
--name $json[0].name --container-name blobcontainer  
--account-name storageaccountname --auth-mode login
      Write-Host "##vso[task.setvariable variable=downloadfilename]$filename"
    pwsh: true


- task: PowerShell@2
  displayName: run python commands
  inputs:
    targetType: 'inline'
    script: |
      python $(Build.SourcesDirectory)/python/something.py	

- task: PowerShell@2
  displayName: upload file to storage account
  inputs:
    targetType: 'inline'
    script: |
      $name = "$(downloadfilename)" + "_" + (get-date -format "yyyyMMdd") 
      az storage blob upload --file "C:\devopsdir\$name" --name "folder1/subcategory/$name" --container-name blobcontainer  --account-name storageaccountname --auth-mode login

The result will be then uploaded on the storage account.

Categories: Automation, Azure, Cloud, Devops
Tags: account, automation, azure devops download, azure devops upload, azuredevops, blob storage, containers, files, storage account, storageaccount, upload

Posts pagination

  • 1
  • 2
  • Next
Mastering Azure Devops CI/CD Pipelines with YAML
Learn how to create advanced automation scenarios using YAML and Azure Devops: https://www.udemy.com/course/mastering-azure-devops-cicd-pipelines-with-yaml
Social
Subscribe on my YouTube channel for more tutorials:


Follow me on Linkedin: Linkedin profile
Azure DevOps platform Fundamentals – Build CI/CD pipelines
Start your journey with Azure DevOps platform: https://www.udemy.com/course/azure-devops-platform-fundamentals-build-cicd-pipelines/
Adblock notice
Support this blog to maintain its operational costs by turning off Adblock or donate a small amount using the button below
Blog Stats
  • 371,082 Views

Join 10 other subscribers
Recent Posts
  • Chaos Engineering in Azure: Automating Resilience Testing with Terraform & Pipelines
  • Azure Chaos Studio terraform properties
  • Automating chaos experiment execution with Azure DevOps
  • Chaos Engineering with Azure – simulate web app failure
  • Azure AI Studio – Deploy and use your first model
Top Posts
  • Pass variables values inside terraform modules
  • error NETSDK1127: The targeting pack Microsoft.NETCore.App is not installed. Please restore and try again
  • Connect to Azure resources with Managed Identity – Storage account example
  • Stages explained in Azure Pipelines - Azure DevOps
  • Ansible playbook - variable files must contain either a dictionary or a list
  • Log commands for all users on Linux - Redhat auditd
  • Deploy between different environments with variable groups - Azure DevOps
  • Elevate sudo privileges through winSCP for sudoers
  • Chaos Engineering in Azure: Automating Resilience Testing with Terraform & Pipelines
  • Pass parameters from Power automate to Azure DevOps pipeline using rest api
Categories
  • AI
  • Ansible
  • Automation
  • AWS
  • Azure
  • BotFramework
  • C# & .NET
  • Chaos Engineering
  • Cloud
  • Devops
  • Docker
  • Github
  • Infrastructure
  • Kubernetes
  • Linux
  • Monitoring
  • Scripts
  • Security
  • Terraform
  • Testing
  • UWP apps – Windows 10
  • VMware
  • Web Development
  • Windows
  • Xamarin
Tags
.net ansible api appservice az cli Azure azuredevops azure devops build c# centos cli command container containers deploy devops docker github html identity jobs k8s kubernetes linux managed identity modules pipeline pipelines powershell redhat release rest api security storage account teamcity terraform update variables visual studio vmware web web app windows xamarin.forms
Archives
  • February 2025
  • November 2024
  • October 2024
  • August 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • December 2019
  • August 2019
  • April 2019
  • March 2019
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • March 2018
  • July 2017
  • May 2017
  • February 2016
  • October 2015
  • August 2015
  • February 2015
  • November 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
© GeralexGR 2025
Built with Storefront.