I've been going through Azure blob documentation and Storage Analytics Logging but I don't see how to enable logging on user level. So, there is company Azure plan, each employee logs in with own credentials, but when we use Azure Storage Explorer (desktop version) I don't see anywhere logged in which user uploaded, deleted... which files/folders to the blob. What did we miss to do here?
https://learn.microsoft.com/en-us/rest/api/storageservices/storage-analytics-log-format#log-entry-format-20
In blob log format version 2.0 only, we have UserPricipalName.
I did tried, While the field is a uuid. Which is not user friendly.
Just for your reference.
Related
I set up a Storage Container (Blob) and a Role Assignement (Storage Account Contributor) to a App Registration with a client Secret-> so I can query the blob files in a runbook as a service principal. So far so fine. App Registartion has API Permission to Azure Storage and it run fine.
I then wanted to check my error-handling and output of the runbook when permissions are missing and removed the API Permission to Azure Storage on the App Registration. And nothing changed at all...The runbook succesfully created storage context and down-/uploaded the file without problem.
After some digging, I noticed that the object-id of the App Registration is different when I look at it in Access Control (IAM) of the storage container than when I load the object in Azure Active Directory (see pic below). So I thought well there must be some "noise" and removed and re-added the Role Assignement to the container. I then run into the error as expected.
After successfully worked on my error-handling i re-applied the permissions and...the error wont disapear. So I again looked at the objects and again...die object-ids where different. I had to remove the RBAC and re-add it to reflect the permission change. After re-adding still the same issue. I have different ID's.
Does anyone know why thats different? And why wont it reflect the permission change withour remove-re-add?
Thank you!
Storage Container vs AAD:
Azure AD app registration is backed by 2 directory objects: an application and a service principal. As its name implies, the latter is the principal for authentication/authorization. Thus, you will see 2 object ids.
Regarding the access issue, all the principal (user or service) needs is an RBAC role assigned, thus adding or removing application permissions won't make a difference.
I gave access to few of my colleagues on one of my Azure storage Account (Contributor).
The idea is to have them access (read and list) the data in the blob container, but I want to restrict them from downloading the data.
I tried the below:
Using SAS key with read and list still allowing them to download the blobs (Using Storage Explorer).
Giving them just reader access and "Storage blob data reader" access did not stop them from downloading the data.
Changing the blob access tier to "Archive" is not a solution that suites.
Tried creating a custom role, but failing to find the exact allow and disallow permissions.
I see the similar kind of question before but wasn't been answered yet # Restrict from downloading file on Azure Blob
Can you please help.
If a user has read permission on a blob (either through SAS Token or Azure AD role), they will be able to download the blob.
To prevent users from downloading a blob, remove read permissions on the blob for the users. For example if you are using a SAS Token, simply use List permissions there. Then the users will be able to see the list of the blobs but will not be able to download it.
Good day , I'm new in azure blob and don't know what kinds of experiments can be done with it, I have searched about it but still isn't clear to me. I'll be really gratefull if you can tell me about easy experiments that can be done in azure blob.
Blob storage stores unstructured data such as text, binary data, documents or media files.
Hope you meant the samples or the operations that can be done using azure blob when you say experiments.
You can do operations like uploading the files, downloading , listing etc. programmatically or through the UI.
You can above operations using languages such as .Net, Java,Python,JS..etc which you can find links in this documentation Azure Storage samples
But to access Azure Storage, you'll need an Azure subscription or free trial account. All access to Azure Storage takes place through a storage account. For this quickstart, create a storage account using the Azure portal.
Refer to Create a storage account
You can do above operations in portal directly .This sample blog can give you quick insights to perform them through portal.
A number of solutions exist for migrating existing data to Blob storage like AzCopy ,Azure datafactory etc
Introduction to Blob (object) storage - Azure Storage | Microsoft Docs
In Visual studio when publishing a worker role you need to select an storage account.
In this image I have already created and selected a storage account, but my application doesn't need it, if I delete the storage account visual studio won't let me publish the worker role unless I create and select a storage account.
Is there a way to publish a worker role without having a storage account?
Is there a way to publish a worker role without having a storage
account?
No. You would need a storage account to publish a worker role.
The reason for this is that a worker role deployment needs a storage account where the package file (*.cspkg) will be stored. The deployment process deploys the package file from that storage account. Once the deployment succeeds, you can delete that storage account.
Other than that, (as mentioned by Aravind in his answer) you would need a storage account if you have enabled diagnostics for your worker role as the diagnostics data for that role is stored in a storage account.
In azure cloud services the diagnostics will be stored in a WADlogs table ( table storage) in the storage account used with the cloud service. You can use some storage explorer to browse through the logs.
also it will be useful if you need to use some storage.Linked resources are easier and one does not have to remember which storage account is used in which service etc.
I had uploaded files mostly media files to Azure's File Storage, which I am able to see in Azure's Explorer as well. But when I view the file as anonymous user, I am not able to view the file. Tried to check with Permissions setting as well, but to no avail.
Any help would be welcomed :)
Azure files have Shared Access Signatures (SAS). This is a key that you compute with the storage account key, that gives access to a particular URL. Here is an example (storage account name is obfuscated here):
https://mystorageaccount.file.core.windows.net/sampleshare/2.png?sv=2015-04-05&sr=f&si=sampleread&sig=Zq%2BfflhhbAU4CkCuz9q%2BnUFEM%2Fsg2PbXe3L4MeCC9Bo%3D&sip=0.0.0.0-255.255.255.255
You have sample code on how to create a SAS with Azure files at https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-how-to-use-files/, ยง"Generate a shared access signature for a file or file share".
You can also do it interactively with a number of tools. For instance, CloudXPlorer has this feature.