Score:0

Server

Allow Azure VM To Access Storage Container Without AAD

Sudheer Satyanarayana

6/29/24, 9:49 AM

I have a subscription, resource group and a VM. Let's call this VM as vm-01.

From the VM, I want to access Azure Storage containers and objects. I have installed the Azure CLI on this Linux VM.

Is it possible to access the storage service from the VM by using RBAC? I want execute commands like:

az storage container list

The documents I have read all point to using Azure Active Directory. I do not have Azure Active Directory service for this subscription and resource group.

I was thinking I could create a custom role and assign it to the VM. I was able to create the custom role and provide the required storage permissions to the role. However, I am not able to assign the custom role to the VM. In the Azure console, I see only options to assign the Azure Managed identities.

1 + 1

azure

Sam Cogan

7/3/24, 1:29 PM

You have Azure AD, you can't use Azure without it.

Score:1

Server

faizan

6/29/24, 10:19 AM

You need to do the following:

Create a user assigned managed identity
Give this managed identity proper permissions on the storage account (such as "Storage Account Contributor"
Assign this managed identity on your VM
Authenticate to AZ cli using the following command

az login --identity

Once that's done, you should be able to make API calls on the storage account (such as az storage container list) after authenticating using the managed identity.

Here's the official docs.

+ 8

Sudheer Satyanarayana

6/29/24, 2:04 PM

Does this require Azure Active Directory(AAD)?

Greg W

6/29/24, 10:08 PM

You already have AAD. The subscription wouldn’t exist without it.

faizan

6/29/24, 10:22 PM

Agreed with @GregW, you just need to assign roles to the managed identity and assign it to your VM.

Greg W

6/29/24, 11:19 PM

Other way around for system assigned MI. You need to create the system assigned MI first on the VM before you can grant it any privileges via RBAC

Sudheer Satyanarayana

7/1/24, 12:29 PM

Thank you. I assumed, I had to subscribe to AAD service as an extra option. I have created a user assigned managed identity. How do I provide permissions for the user assigned managed identity? In the role assignment screen of this user assigned managed identity page, I do not see a suitable role to storage access. I see 13 roles here, all of them seem irrelevant to storage access.

Sudheer Satyanarayana

7/1/24, 12:39 PM

App Compliance Automation Administrator, Log Analytics Contributor, Managed Application Contributor Role, Managed Application Operator Role, Managed Applications Reader, Managed Identity Contributor, Managed Identity Operator, Monitoring Contributor, Monitoring Metrics Publisher, Monitoring Reader, Resource Policy Contributor these are the job function roles I see

Sudheer Satyanarayana

7/1/24, 1:59 PM

I found the role assignment on the storage account scope and added it. Works as expected. Thanks.

faizan

7/2/24, 3:16 PM

awesome, if my answer is helpful for you to fix the problem, you can accept it as answer (click on the check mark beside the answer to toggle it from greyed out to filled in). this can be beneficial to other community members. thanks

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow Azure VM To Access Storage Container Without AAD

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.