Support Azure Role-Based Access Control (RBAC)

microsoft / vscode-azurestorage

Azure Storage extension for VS Code

https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurestorage

MIT License

61 stars 38 forks source link

Support Azure Role-Based Access Control (RBAC) #967

Open kimjamia opened 3 years ago

kimjamia commented 3 years ago

Steps to reproduce:

Grant Reader role to Storage Account.
Grant Storage Blob Data Contributor role to a container within the Storage Account.
In VS Code, do "Azure: Sign In".
In the Azure menu in VS Code, expand STORAGE and then expand the subscription the account is in.
Observe that the Storage Account is visible because Reader rights were granted.
Expand the Storage Account.

=> Error: The client '' with object id '' does not have authorization to perform action 'Microsoft.Storage/storage/storageAccounts/listKeys'...

Do the same thing in Azure Storage Explorer and everything works well. User can see the containers under the Storage Account and can browse the container the user was given access to. Other containers report an error as expected.

Expected result: Reader role is sufficient to see the containers in an Storage Account and access to Storage Account keys is not needed.

wwlorey commented 3 years ago

For now, I would recommend giving read access for the container and the storage account.

petercm commented 3 years ago

Setting Reader on the container and storage account doesnt work. The plugin still tries to list access keys and fails there.

kimjamia commented 3 years ago

Permission to list keys is included in the following built-in roles:

Owner
Contributor
Storage Account Contributor

It's an excessive permission but a possible workaround.

AzCode-Bot commented 2 years ago

This issue has become stale and is at risk of being closed. The community has 60 days to upvote the issue. If it receives 5 upvotes we will keep it open and take another look. If not, we will close it. To learn more about how we handle issues, please see our documentation.

Happy Coding!

romain-leonard commented 2 years ago

Hi, I have the same issue. It comes from the use of the default authentication type (keys) which is marked as legacy.

The AZ Cli has the same behavior, by default, but it can be overridden by the environment variable AZURE_STORAGE_AUTH_MODE or the --auth-mode parameter set to login.

I think the extension should have a parameter or use the same environment variable.

Here is an AZ Cli example:

$ az storage blob list -c stcontainer --account-name staccount
==> Access denied

$ az storage blob list -c stcontainer --account-name staccount --auth-mode login
==> Access granted

trymzet commented 2 years ago

@romain-leonard I don't think users should be configuring anything. I open the same thing up in the Azure Storage Explorer app and it works in 5 seconds.

lindoman commented 1 year ago

I add my vote to this, our security model at my place of work will never allow the authentication through as it stands, and I am missing the ability to be able to view the contents of our storage containers in VS Code.