Create user with permission to more than one container in azure from PowerShell

Ruwi
March 23, 2023
185 views
1 vote
2 Answers

I have an Azure storage account with SFTP enabled. I have multiple containers with one user for each container with permissions to only that container.
I would like to also have a user with access to all containers.
I know it is possible to do so in the Azure portal. I, however, need to be able to do it from PowerShell.
I see two possible options: Either by having a permission scope that simply gives the user permissions to everything including new containers when they are added or by adding to the existing permissions when a new container is added.

I have tried using the New-AzStorageLocalUserPermissionScope function from the Az module. With this function, though, I can (AFAIK) only specify one container to give permissions to.
If update a user with a new permission scope with the Set-AzStorageLocalUser function it overwrites the existing permission.

Answers

Chosen as BEST ANSWER
- Ruwi
- March 27, 2023 at 8:47 am
- 0 votes
0
I was able to create a solution by appending permission scopes as suggested by Jahnavi.

Creating and appending the permission scopes one by one every time I update the user is not a possibility, though, as I will only have the information on the container that should be added to the permissions. My solution is to save the permission scope as a JSON-file. Every time I need to add a permission I do the following:
1. Read the file containing the current permissions
2. Create permission scope for the new container
3. Append the current and new permissions
4. Assign new joint permissions to user
5. Write new joint permissions to JSON file
Here is the code I use:
```
# Read permissions from JSON
$CurrentPermissions = Get-Content -Path permissions.json | ConvertFrom-Json
# Permission scope for new container
$ContainerPermission = New-AzStorageLocalUserPermissionScope -Permission rwdlc -Service blob -ResourceName "mycontainer"
# Conbine permissions
$NewPermissions = $CurrentPermissions + $ContainerPermission
# Assign new permissions to user
$LocalUser = Set-AzStorageLocalUser -ResourceGroupName "MyResourceGroup" -StorageAccountName "mystorageaccount" -UserName "myuser" -PermissionScope $NewPermissions
# Write new permissions to json file
$NewPermissions | ConvertTo-Json | Out-File "permissions.json"
```

(Edit)

- Jahnavi
- March 24, 2023 at 10:59 am
- 0 votes
0
As you said, updating a user with a new permission scope with the Set-AzStorageLocalUser function overwrites the existing permission scope every time.

So after a workaround on this, I found a way by generating a SAS token for the storage account using New-AzStorageAccountSASToken cmdlet. Then the token helps to grant access to all containers in the storage account.

Below is the script which I tried to generate a SAS token and then used that SAS token to grant access to the other storage accounts.
```
$accountName = "<storageaccount>"       
$accountKey = "xxxxxxzxrQ=="                                                                                               
$storageContext = New-AzStorageContext -StorageAccountName $accountName -StorageAccountKey $accountKey
$permission = "rxxxxlup"     
$expiryTime = (Get-Date).AddDays(1)                                                                         
$sasToken = New-AzStorageAccountSASToken -Context $storageContext -Service Blob, File, Queue, Table -ResourceType Container -Permission $permission -StartTime (Get-Date).AddMinutes(-5) -ExpiryTime $expiryTime
```
```
$storageContext = New-AzStorageContext -StorageAccountName "<otherstorageaccount" -SasToken $sasToken
$storageContext
```
Output:

Alternatively:-

I tried using the NewAzStorageLocalUserPermissionScope and
Set-AzStorageLocalUser commands and it worked as follows:

Steps followed:
1. Container’s storage account was retrieved with the context.
2. With the respective user, I created permission scopes for various containers.
3. Those permission scopes were appended and saved in a single variable.
4. The local user was then assigned the stored scopes.
Script:
```
$context = (Get-AzStorageAccount -Name <Storageaccount> -ResourceGroupName <resourcegroup>).Context
$Userinfo = Get-AzStorageLocalUser -Context $context -Username <User>
#permission scope for one container
$permissionScope = New-AzStorageLocalUserPermissionScope -Permission rw -Service blob -ResourceName <containername>
#New permission scope for the other container
$newScope = New-AzStorageLocalUserPermissionScope -Container <othercontainername> -Permission "rwdl"
$permissionscope.permissions += $newscope.permissions
$p1 = $permissionscope.permissions                   
$p2 = $newscope.permissions
$p1 += $p2
Set-AzStorageLocalUser  -ResourceGroupName  <Resourcegroup> -AccountName  <Storageaccount> -Username <User> -PermissionScopes $p1
```
Output:
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.