microsoft / AzureStorageExplorer

Easily manage the contents of your storage account with Azure Storage Explorer. Upload, download, and manage blobs, files, queues, tables, and Cosmos DB entities. Gain easy access to manage your virtual machine disks. Work with either Azure Resource Manager or classic storage accounts, plus manage and configure cross-origin resource sharing (CORS) rules.
Creative Commons Attribution 4.0 International
375 stars 86 forks source link

Add support for Managed Identity login #2142

Open mikkoc opened 5 years ago

mikkoc commented 5 years ago

Is your feature request related to a problem? Please describe. We need to access StorageExplorer from inside a VM with assigned Managed Identity. Currently there is no option to login to StorageExplorer with a managed identity.

Describe the solution you'd like Add an option to setup authentication through the Managed Identity.

JasonYeMSFT commented 4 years ago

To confirm, are you asking to use enterprise app/service principal to log in to Storage Explorer instead of your user credential?

mikkoc commented 4 years ago

No, I would like to use Managed Identity: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview To be more specific, in our case, it's a user-assigned managed identity

We followed this tutorial: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage#get-an-access-token-and-use-it-to-call-azure-storage

So currently, to access blobs from the VM we use:

STORAGE_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true | jq -r .access_token)

curl https://mystorage.blob.core.windows.net/container/my_file.deb -H "x-ms-version: 2017-11-09" -H "Authorization: Bearer $STORAGE_TOKEN" -o /tmp/my_file.deb
MRayermannMSFT commented 4 years ago

I'll try to look into this some more. 😊 But what confuses me is, it seems like this feature is intended to help a script or app that you wrote authenticate. Storage Explorer is a GUI tool (aka, something for a human being to use in an interactive way). So in what scenario are you wanting to have this ability? Is it something like: "I have a script which uses managed identity to access storage, but it is having permission issues, so I want to use Storage Explorer with the same identity as the script, so I can debug the issues"?

mikkoc commented 4 years ago

Sorry, I should have been more clear, the example I gave is for a different use case.

Managed Identity is not something we came up with: it's an Azure mechanism and is the way forward as it allows to get rid of managing Service Principle credentials, rotate them, etc. It's very similar to AWS IAM instance roles, if you're familiar with that.

All Azure services are slowly adding support for Managed Identities, see for example: https://github.com/Azure/AKS/issues/993

The use case is for a human logged into a desktop environment inside an Azure VM. He/She should be able to use Storage Explorer without having to input credentials, as long as the VM has a Managed Identity associated with it that allows access to Storage.

mikkoc commented 4 years ago

Just for my understanding, does Storage Explorer use AzCopy under the hood?

If so, azcopy already supports login with --identity, as per: https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-login

So it should be trivial to add this in GUI.

MRayermannMSFT commented 2 years ago

@mikkoc

  1. Were/are you working with VMs that have user or system assigned managed identities?
  2. How many managed identities would you want Storage Explorer to support working with at the same time?
  3. Any strong negative opinions against you having to tell Storage Explorer that there is a managed identity for it to use/other information it may need to know about it?
  4. Would you just use the identity for authenticating attachments, or would you want to browse multiple resources under a subscription/s with it?
DavidLangworthy commented 1 year ago

@MRayermannMSFT

Looks like this has been bumping around for a while. I've run into the need again. Due to our security requirements users and groups do not have direct access to storage, only VMs with lots of logging and policy attached. The VMs attach via a umi.

In the fully general all singing all dancing version a UMI is just like an azure account. But I don't know an easy way to add it into that flow off the top of my head.

Plenty to cover all of the actual scenarios I can think of is to add a MI option to the radio control on the Attach Account, Container, Queue, Table flows. The follow on page would be pretty similar, but needs the OID for the UMI. Login needs tenant id as well, but I expect this can be figured out from the account name.

MatanShabtay commented 1 year ago

What the status of this ?

kgaska commented 9 months ago

I have the same request - please add possibility to use managed identity as auth mechanism when using Azure Storage Explorer on VM. In our case access to Azure storage account is possible only from a particular VM. VM has managed identity enabled and that service principal has access to containers configured. I see no reason to set up permissions for each user individually when they already were granted access to VM which suppose have an access to Storage Account

luisnaranjo733 commented 1 month ago

In the age of tightening security stances, this becomes a critical feature for Azure Storage Explorer. Consider the scenario where a user is required to use passwordless Entra ID auth only. They lose the ability to use Azure Storage Explorer from Bastion private VMs entirely when managed identities are the only they can auth to their storage account.