skip to Main Content

I have an Azure storage account with SFTP enabled. I have multiple containers with one user for each container with permissions to only that container.
I would like to also have a user with access to all containers.
I know it is possible to do so in the Azure portal. I, however, need to be able to do it from PowerShell.
I see two possible options: Either by having a permission scope that simply gives the user permissions to everything including new containers when they are added or by adding to the existing permissions when a new container is added.

I have tried using the New-AzStorageLocalUserPermissionScope function from the Az module. With this function, though, I can (AFAIK) only specify one container to give permissions to.
If update a user with a new permission scope with the Set-AzStorageLocalUser function it overwrites the existing permission.

2

Answers


  1. Chosen as BEST ANSWER

    I was able to create a solution by appending permission scopes as suggested by Jahnavi.

    Creating and appending the permission scopes one by one every time I update the user is not a possibility, though, as I will only have the information on the container that should be added to the permissions. My solution is to save the permission scope as a JSON-file. Every time I need to add a permission I do the following:

    1. Read the file containing the current permissions
    2. Create permission scope for the new container
    3. Append the current and new permissions
    4. Assign new joint permissions to user
    5. Write new joint permissions to JSON file

    Here is the code I use:

    # Read permissions from JSON
    $CurrentPermissions = Get-Content -Path permissions.json | ConvertFrom-Json
    # Permission scope for new container
    $ContainerPermission = New-AzStorageLocalUserPermissionScope -Permission rwdlc -Service blob -ResourceName "mycontainer"
    # Conbine permissions
    $NewPermissions = $CurrentPermissions + $ContainerPermission
    # Assign new permissions to user
    $LocalUser = Set-AzStorageLocalUser -ResourceGroupName "MyResourceGroup" -StorageAccountName "mystorageaccount" -UserName "myuser" -PermissionScope $NewPermissions
    # Write new permissions to json file
    $NewPermissions | ConvertTo-Json | Out-File "permissions.json"
    

  2. As you said, updating a user with a new permission scope with the Set-AzStorageLocalUser function overwrites the existing permission scope every time.

    So after a workaround on this, I found a way by generating a SAS token for the storage account using New-AzStorageAccountSASToken cmdlet. Then the token helps to grant access to all containers in the storage account.

    Below is the script which I tried to generate a SAS token and then used that SAS token to grant access to the other storage accounts.

    $accountName = "<storageaccount>"       
    $accountKey = "xxxxxxzxrQ=="                                                                                               
    $storageContext = New-AzStorageContext -StorageAccountName $accountName -StorageAccountKey $accountKey
    $permission = "rxxxxlup"     
    $expiryTime = (Get-Date).AddDays(1)                                                                         
    $sasToken = New-AzStorageAccountSASToken -Context $storageContext -Service Blob, File, Queue, Table -ResourceType Container -Permission $permission -StartTime (Get-Date).AddMinutes(-5) -ExpiryTime $expiryTime
    
    $storageContext = New-AzStorageContext -StorageAccountName "<otherstorageaccount" -SasToken $sasToken
    $storageContext
    

    Output:

    enter image description here

    enter image description here

    enter image description here

    Alternatively:-

    I tried using the NewAzStorageLocalUserPermissionScope and
    Set-AzStorageLocalUser commands and it worked as follows:

    Steps followed:

    1. Container’s storage account was retrieved with the context.
    2. With the respective user, I created permission scopes for various containers.
    3. Those permission scopes were appended and saved in a single variable.
    4. The local user was then assigned the stored scopes.

    Script:

    $context = (Get-AzStorageAccount -Name <Storageaccount> -ResourceGroupName <resourcegroup>).Context
    $Userinfo = Get-AzStorageLocalUser -Context $context -Username <User>
    #permission scope for one container
    $permissionScope = New-AzStorageLocalUserPermissionScope -Permission rw -Service blob -ResourceName <containername>
    #New permission scope for the other container
    $newScope = New-AzStorageLocalUserPermissionScope -Container <othercontainername> -Permission "rwdl"
    $permissionscope.permissions += $newscope.permissions
    $p1 = $permissionscope.permissions                   
    $p2 = $newscope.permissions
    $p1 += $p2
    Set-AzStorageLocalUser  -ResourceGroupName  <Resourcegroup> -AccountName  <Storageaccount> -Username <User> -PermissionScopes $p1
    

    Output:

    enter image description here

    enter image description here

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search