Azure Blob Data Permissions Deep Dive (360 in 360)
Вставка
- Опубліковано 11 чер 2024
- This this 360 in 360 I give up on trying to come in under 360 seconds and instead go into detail about the various permission options and granularity available for Azure Storage Blobs. Starting off with an overview and then demonstrating all the options!
Whiteboard image available at savilltech.com/2020/04/27/new.... - Наука та технологія
Reading the docs got me more confused than I was before I started reading them. Thanks for this simple and insightful explanation!
John, I watched this video 4 months ago and I returned to it today. Each time I watch it I gain new insights to these important concepts regarding Azure Storage Accounts. Thank you for making this knowledge available for the tech community!!
Great video same as always. After 3 years, it's the best you can find on UA-cam.
The exaplanation here is even better than the one on the e-learning platforms ! It's far better : ) thank you!
Thanks a lot! This is by far one of if not the best video and explanation i've seen on this topic so far.
Glad it was helpful!
followed 2 courses on udemy, watched lot of videos on youtube, your aptitude to synthesis is brilliant; you are the best one
Wow, thanks! Glad you like the videos!
I was cross eyed after reading the documents. However, you my friend, made it all too easy! Thank you so much, enjoying all of your material.
Glad it was helpful!
Excellent Video! I just learned about your channel today. Helped me a lot already! I love your teaching method of explaining the abstract logic and going into detail after that! Perfect lesson. Thanks!
Welcome!
This is hands down the best video I've seen on this subject.
Very kind, thank you!
Thank you for another instructive video John, I am enjoying watching them. Keep up the good work and I hope that you & your family are staying safe & healthy.
Thanks! You too.
Thank you John for such an insightful session, you are amazing in these 360 sessions.
That’s very kind, thank you! And I came in under 360 minutes ;-)
Big Thanks ! There were so many access options and so many trash guides that suggest you just use Access Key everywhere. And only there i could find very clear and explanation of all methods.
Amazing work, John, thank you.
Awesome explanation! thanks for covering the key concepts in such a simpler and easily understood way :-)
Welcome
Nice one John 👍
Great video John, thanks for sharing
Another awesome video, just catching up on them little nuggets of information. Thank you Sir.
Thanks!
This is so useful, well explained. thank you so much for making this kind of videos. :)
Thank you for a very clear and comprehensive video!
Glad you enjoyed it!
What an explanation! Thank you really!
Thank you, it was very useful for me!
Very Useful for my today's learning John Mr Dogs ;)
Great insights John..Thanks.
Thank you!
John you rock great content sir.
Thanks!
Great tutorial. I was trying to use azcopy to copy data from my local machine (mac) to a container in Data Lake Gen2 but the authentication kept failing. Didnt find much help on the support forums or microsoft doc. John has done a great job explaining the authentication concepts and how to use SAS. Thank you John.
Glad it helped
Very well explained. After going through a few pluralsight courses on Azure Storage, I find this more explanatory. I feel the whiteboarding steals the show. John, can you please also share the whiteboard content to review more often? Thanks.
OK, posted a quick blob and uploaded the whiteboard image there. savilltech.com/2020/04/27/new-azure-storage-blob-permissions-video/
@@NTFAQGuy Thanks again John . this whiteboard help with concepts on azure storage in particular stored access policies and will add this to my Az104 study guide. Lol
Take my gratitude..!!
hey john thanks for another great video TY sir! . just one thing need to clarify.. the user delegation as mentioned happens automagically when storage access is switched to Azure AD, correct?
Depends how you interact with storage. Portal, tools all just work.
Great explanation ! Really breaks it down well. Thanks 🙏🏽 ( just as an aside - the red timer is a little distracting).
Great video! Very informative. I have a requirement to manage access via Azure AD and this explained that nicely. If I have users that are just connecting to download data (Azure AD Only, no on-prem AD or Azure AD DS) is the Azure Storage Explorer their best (or only) option for downloading data that needs to be secured? The SAS links seem nice, but prefer to enforce the MFA for users accessing the data.
Storage Explorer is one option yes.Glad you like the video.
Very useful , Thanks
Glad it was helpful!
Hi John - good session, just to confirm while user is logged in (to Storage Explorer) and using SAS key, if Administrator change Key1/2 that user will still have access to image until he/she logs out - right?
No, it does not work that way. You are not "logging on". Every action you perform is a separate REST call to the API using the signature. You connect it does a list, thats a call. You select a blob, thats a call. There is no session. So as soon as the key is regenerated that SAS you have is now invalid so while storage explorer is still showing the content of the container (since it has that cached from a previous list) the SAS is now invalid and any future calls using that SAS will fail including getting a blob, refreshing the listing etc. Hope that helps.
Thank you so much I learned a lot, but think I'm still a bit confused just not as bad as before: for the SAS and access keys, these are done at the account level where you can define access down to objects... and for specific assignment at the container\folder\object you can use access policy. In all cases you can assign access and permission using IAM?? do I have it correct?? is there a access configuration that would override/cancel out other access/ permissions?
There are two types of SAS account and service so SAS can also be resource level. Some also support data plane access control eg blob but not all.
@@NTFAQGuy I rewatched this session and it made better sense this morning. I really like the white-boarding and your presentation skills, please keep them coming!!
if you generate a new access key does it stop working for any SAS that was created using that key in the past. Sorry if you mentioned that in the video. Great videos btw.
Yes. That is what I demoed where the sas stopped working when I regenerated the key that signed it. That is the only way to revoke an adhoc sas (or it expires). Thanks for watching
thanks John, it was a nice refresher. Could you please also make video on File Share and it's permission as it has grown alot since basic file share.
File Share with Key
File Share With Azure AD RBAC. (Azure AD domain Service and NTFS permission)
File Share with Azure File sync ( also Ntfs)
File Share with Active Directory Domain Join (NTFS)
I just did a video on azure files ad integration. It was about a month ago. Enjoy.
@@NTFAQGuy Thanks it covered all the above points which i highlighted.
File share used to be very simple earlier and this feature has grown alot when it comes to NTFS Permission and now with AD integration it is fully integrated and useful offering.
Hello, John. How are you?
I have a question and I would be very happy if you help me.
Why, when I switch to Azure AD User Account, at the container level, I get the message that I don't have permissions to list the data, even being an owner at the Management Group level?
Thank you!
You need a data role as I talked about. Owner means nothing on data plane.
Hi John,
Am I correct dat you cannot generate a container SAS from the portal?
It can be done from storage explorer but I don't have the option in the portal.
Right, I’ve never seen that option in portal. Also could use powershell etc.
The portal does allow to Generate SAS for a container. I think Microsoft must have enabled this feature recently
Hello John,
I am watching so many videos but I am still not sure how to we utilize azure file shares with SAS.
Lets say I have a server where I want to mount File Share, i know i can use access keys to mount but if i have generated SAS token, then Where do I use it for mounting file share?
What is the benefit of generating SAS token for Azure file?
I have seen we use storage explorer to access storage account and we configure SAS token there but usually we use SAS token for complete storage account and not particularly for single blob container or file share.
It bugging me and I had this question in AZ104 exam and wanted to know what could be the answer for it. I had just guessed the answer for below Question
********************************************************************************
You need to use AzCopy to copy data to the blob storage and file storage in storage1.
Which authentication method should you use for each type of storage?
**********************************************************************************
Options: AzureAD, SAS, Access Keys. (multiple choice) - For Blob Storage
Options: AzureAD, SAS, Access Keys. (multiple choice) - For File Storage
**********************************************************************************
And I guessed,
AzureAD+SAS for blob
and SAS for file storage.
******************************
So why cannot we use access keys for azcopy for copy to file storage?
I have raised multiple questions apologies for that. its just I am completely confused.
I think my problem is I am not known to use cases of azure file shares with SAS.
you can't use SAS for azure files if using SMB. SAS would only be if accessing via REST API. if using Files with SMV you need to use AD or AADDS integration for data level permissions. for blob, SAS is best options, for file storage via SMB would be Azure AD :-) Watch my storage master class video.
Hi John..Can you please similar kind of videos in AzureDevOps..Please
I already have a number of videos on devops with arm etc. don’t intend to do devops deep dive videos though.
Can you do all those things programmatically? So add an applicationuser permission to only data in this container?
Totally. Rest api, powershell etc
@@NTFAQGuy Thanks. So if I understand correctly. We can have:
1. Some kind of super user access that we can use to access all resources.
2. We can also create user specific access for each user (say if we use Azure B2C, we can leverage that here), so they see only their files. I would assume that in that case, each user would have dedicated container and access only to it and its files, correct?
3. Is this the same for azure media service?
And of course, all above if feasible via code (ie. java, .net or javascript rest calls)
@@TheMeehaw b2c can’t be used for azure rbac. You would need an intermediate app layer. Java can call rest api
hi I have connected a pi camera to store the images to storage account it is storing perfectly with one of my wifi and it is not storing with other wifi or mobile hotspot what would be the problem Please try to help.
honestly could be a million things. Does the one that works still work on other wifi? If not look at network path. is storage account limited by source IP, are your wifis having different public IPs? If both using same key/SAS its going to be network most likely and nothing to do with permissions. Good luck
@@NTFAQGuy it is working with a wifi which is static and other wifi is dynamic IP.
How to restrict the users from copying data from blob container or file share.. they should be able to read and write but should not copy the data out of the storage to any physical system using any tool..
That is data exfiltration and you could use things like service endpoints policies or private endpoints to restrict to which accounts are available. Watch the video on service endpoints and private endpoints.
@@NTFAQGuy ok thanks for reply
please disable the seconds and minutes in the clock :D
yes i don't use those anymore :-) people complained :-)