Open mikkoc opened 5 years ago
To confirm, are you asking to use enterprise app/service principal to log in to Storage Explorer instead of your user credential?
No, I would like to use Managed Identity: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview To be more specific, in our case, it's a user-assigned managed identity
We followed this tutorial: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage#get-an-access-token-and-use-it-to-call-azure-storage
So currently, to access blobs from the VM we use:
STORAGE_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true | jq -r .access_token)
curl https://mystorage.blob.core.windows.net/container/my_file.deb -H "x-ms-version: 2017-11-09" -H "Authorization: Bearer $STORAGE_TOKEN" -o /tmp/my_file.deb
I'll try to look into this some more. 😊 But what confuses me is, it seems like this feature is intended to help a script or app that you wrote authenticate. Storage Explorer is a GUI tool (aka, something for a human being to use in an interactive way). So in what scenario are you wanting to have this ability? Is it something like: "I have a script which uses managed identity to access storage, but it is having permission issues, so I want to use Storage Explorer with the same identity as the script, so I can debug the issues"?
Sorry, I should have been more clear, the example I gave is for a different use case.
Managed Identity is not something we came up with: it's an Azure mechanism and is the way forward as it allows to get rid of managing Service Principle credentials, rotate them, etc. It's very similar to AWS IAM instance roles, if you're familiar with that.
All Azure services are slowly adding support for Managed Identities, see for example: https://github.com/Azure/AKS/issues/993
The use case is for a human logged into a desktop environment inside an Azure VM. He/She should be able to use Storage Explorer without having to input credentials, as long as the VM has a Managed Identity associated with it that allows access to Storage.
Just for my understanding, does Storage Explorer use AzCopy under the hood?
If so, azcopy already supports login with --identity
, as per: https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-login
So it should be trivial to add this in GUI.
@mikkoc
@MRayermannMSFT
Looks like this has been bumping around for a while. I've run into the need again. Due to our security requirements users and groups do not have direct access to storage, only VMs with lots of logging and policy attached. The VMs attach via a umi.
In the fully general all singing all dancing version a UMI is just like an azure account. But I don't know an easy way to add it into that flow off the top of my head.
Plenty to cover all of the actual scenarios I can think of is to add a MI option to the radio control on the Attach Account, Container, Queue, Table flows. The follow on page would be pretty similar, but needs the OID for the UMI. Login needs tenant id as well, but I expect this can be figured out from the account name.
What the status of this ?
I have the same request - please add possibility to use managed identity as auth mechanism when using Azure Storage Explorer on VM. In our case access to Azure storage account is possible only from a particular VM. VM has managed identity enabled and that service principal has access to containers configured. I see no reason to set up permissions for each user individually when they already were granted access to VM which suppose have an access to Storage Account
In the age of tightening security stances, this becomes a critical feature for Azure Storage Explorer. Consider the scenario where a user is required to use passwordless Entra ID auth only. They lose the ability to use Azure Storage Explorer from Bastion private VMs entirely when managed identities are the only they can auth to their storage account.
Is your feature request related to a problem? Please describe. We need to access StorageExplorer from inside a VM with assigned Managed Identity. Currently there is no option to login to StorageExplorer with a managed identity.
Describe the solution you'd like Add an option to setup authentication through the Managed Identity.