0

I have an Azure storage account with SFTP enabled. I have multiple containers with one user for each container with permissions to only that container. I would like to also have a user with access to all containers. I know it is possible to do so in the Azure portal. I, however, need to be able to do it from PowerShell. I see two possible options: Either by having a permission scope that simply gives the user permissions to everything including new containers when they are added or by adding to the existing permissions when a new container is added.

I have tried using the New-AzStorageLocalUserPermissionScope function from the Az module. With this function, though, I can (AFAIK) only specify one container to give permissions to. If update a user with a new permission scope with the Set-AzStorageLocalUser function it overwrites the existing permission.

Ruwi
  • 3
  • 3

2 Answers2

0

As you said, updating a user with a new permission scope with the Set-AzStorageLocalUser function overwrites the existing permission scope every time.

So after a workaround on this, I found a way by generating a SAS token for the storage account using New-AzStorageAccountSASToken cmdlet. Then the token helps to grant access to all containers in the storage account.

Below is the script which I tried to generate a SAS token and then used that SAS token to grant access to the other storage accounts.

$accountName = "<storageaccount>"       
$accountKey = "xxxxxxzxrQ=="                                                                                               
$storageContext = New-AzStorageContext -StorageAccountName $accountName -StorageAccountKey $accountKey
$permission = "rxxxxlup"     
$expiryTime = (Get-Date).AddDays(1)                                                                         
$sasToken = New-AzStorageAccountSASToken -Context $storageContext -Service Blob, File, Queue, Table -ResourceType Container -Permission $permission -StartTime (Get-Date).AddMinutes(-5) -ExpiryTime $expiryTime

$storageContext = New-AzStorageContext -StorageAccountName "<otherstorageaccount" -SasToken $sasToken
$storageContext

Output:

enter image description here

enter image description here

enter image description here

Alternatively:-

I tried using the NewAzStorageLocalUserPermissionScope and Set-AzStorageLocalUser commands and it worked as follows:

Steps followed:

  1. Container's storage account was retrieved with the context.
  2. With the respective user, I created permission scopes for various containers.
  3. Those permission scopes were appended and saved in a single variable.
  4. The local user was then assigned the stored scopes.

Script:

$context = (Get-AzStorageAccount -Name <Storageaccount> -ResourceGroupName <resourcegroup>).Context
$Userinfo = Get-AzStorageLocalUser -Context $context -Username <User>
#permission scope for one container
$permissionScope = New-AzStorageLocalUserPermissionScope -Permission rw -Service blob -ResourceName <containername>
#New permission scope for the other container
$newScope = New-AzStorageLocalUserPermissionScope -Container <othercontainername> -Permission "rwdl"
$permissionscope.permissions += $newscope.permissions
$p1 = $permissionscope.permissions                   
$p2 = $newscope.permissions
$p1 += $p2
Set-AzStorageLocalUser  -ResourceGroupName  <Resourcegroup> -AccountName  <Storageaccount> -Username <User> -PermissionScopes $p1

Output:

enter image description here

enter image description here

enter image description here

Jahnavi
  • 3,076
  • 1
  • 3
  • 10
  • Tanks for the help! I am unsure how I can use the StorageContext made with the SAS-token to create a new permission scope with access to all containers in the storage account? – Ruwi Mar 27 '23 at 06:30
  • You can pass `-context` parameter with the `Set-AzStorageLocalUser` command. @Ruwi – Jahnavi Mar 27 '23 at 06:41
  • I am sorry if I am missing something completely obvious, but when I look at the [documentation](https://learn.microsoft.com/en-us/powershell/module/az.storage/set-azstoragelocaluser?view=azps-9.5.0) I don't see any `-context` parameter? – Ruwi Mar 27 '23 at 07:00
  • Ok there may not be given the `context` parameter. I will check the other related commands. @Ruwi – Jahnavi Mar 27 '23 at 08:03
0

I was able to create a solution by appending permission scopes as suggested by Jahnavi.

Creating and appending the permission scopes one by one every time I update the user is not a possibility, though, as I will only have the information on the container that should be added to the permissions. My solution is to save the permission scope as a JSON-file. Every time I need to add a permission I do the following:

  1. Read the file containing the current permissions
  2. Create permission scope for the new container
  3. Append the current and new permissions
  4. Assign new joint permissions to user
  5. Write new joint permissions to JSON file

Here is the code I use:

# Read permissions from JSON
$CurrentPermissions = Get-Content -Path permissions.json | ConvertFrom-Json
# Permission scope for new container
$ContainerPermission = New-AzStorageLocalUserPermissionScope -Permission rwdlc -Service blob -ResourceName "mycontainer"
# Conbine permissions
$NewPermissions = $CurrentPermissions + $ContainerPermission
# Assign new permissions to user
$LocalUser = Set-AzStorageLocalUser -ResourceGroupName "MyResourceGroup" -StorageAccountName "mystorageaccount" -UserName "myuser" -PermissionScope $NewPermissions
# Write new permissions to json file
$NewPermissions | ConvertTo-Json | Out-File "permissions.json"
Ruwi
  • 3
  • 3