Photo by Kyle Glenn on Unsplash
Our project is using Token provided by Microsoft.Azure.Services.AppAuthentication, like in this example.
For example, if you want to access KeyVault and database
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
using System.Data.SqlClient
// Use AzureServiceTokenProvider’s built-in callback for KeyVaultClient
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
// Request an access token for SqlConnection
sqlConnection = new SqlConnection(YourConnectionString))
{
sqlConnection.AccessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://database.windows.net");
sqlConnection.Open();
}
Note: the token is cached across AzureServiceTokenProvider instance as you can see.
In the example, we use the scope "https://database.windows.net". For Storage, we can use "https://storage.windows.net".
Everything went fine as long as we use Container, but we get 403 response when we download blob content.
403 ? even if i have the Owner role ! how is it possible ?
The answer is in this blog post. There are role for Content Plane (Owner / Contributor etc ..), and for Data Plane (Storage Blob Data Contributor / Storage Queue Data Reader). Once set, manipulation blob or queue was possible.
Hope this help !
Top comments (0)