Using Service Principal with AzCopy & Azure CLI to manage blobs in Storage Account

By: learn2skills Date: 06/03/2021 Categories: azure Tags: Azure-Storage

In this blog we will look at using service principals with AzCopy and Azure CLI to connect to storage accounts and manage blob data.

An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it’s always recommended to use service principals with automated tools rather than a user identity.

1. Creating a service principal

To create a service principal we will use Cloud Shell on Azure Portal using the az ad sp create-for-rbac command. The below command will provide an Azure Storage data access role to assign to the new service principal. Additionally, provide the scope for the role assignment. For more information about the built-in roles provided for Azure Storage, see Azure built-in roles. Note: Save the output of the create SPN command.az ad sp create-for-rbac ` --name <service-principal> ` --role "Storage Blob Data Contributor" ` --scopes /subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account> thumbnail image 1 captioned Creating service principal Creating service principal

Assigning roles to service principal

Once the Service Principal is created, we also need to grant ‘Reader’ role on the storage account to the service principal. This will grant the SPN read access to storage resource at subscription level. Please refer to our documentation on assigning roles for access to blob. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portalaz role assignment create --assignee "<appId>" ` --role "Reader" ` --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>" thumbnail image 2 captioned Role assignments Role assignments

2. Using service principal with AzCopy

AzCopy is a command-line tool that moves data into and out of Azure Storage. To learn more about AzCopy please refer the official documentation.

Login as service principal

Next we will login as the service principal in AzCopy using the azcopy login command. The values for options application-id, tenant-id and AZ_COPY_CLIENT_SECRET, will be available on step 1 after creating the service principal.$env:AZCOPY_SPA_CLIENT_SECRET="$(Read-Host -prompt "Enter key")" azcopy login ` --service-principal ` --application-id "<appId>" ` --tenant-id "<tenantId>" thumbnail image 3 captioned AzCopy login AzCopy login

Performing copy operations

Once sucessfully logged in, we can upload and download files using OAuth authentication of the service principal with azcopy copy command.

Upload exampleazcopy copy "/path/to/file.txt" "https://[account].blob.core.windows.net/[container]/[path/to/blob]" thumbnail image 4 captioned Upload blob with AzCopy Upload blob with AzCopy

Download exampleazcopy copy "https://[account].blob.core.windows.net/[container]/[path/to/blob]" "/path/to/file.txt" thumbnail image 5 captioned Download blob with AzCopy Download blob with AzCopy

3. Using service principal with Azure CLI

The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. The Azure CLI is available across Azure services and is designed to get you working quickly with Azure, with an emphasis on automation. To learn more about Azure CLI and how to install Azure CLI please refer the official documentation.

Login as service principal in Azure CLI

Once we have installed Azure CLI we can use the az login command to login with our service principal.az login \ --service-principal \ --username "<appId>" \ --password "<secret>" \ --tenant "<tenantId>" thumbnail image 6 captioned Azure CLI Login Azure CLI Login

Performing Azure CLI storage & blob operations

We can now perform various operations/commands on the storage accounts that the service principal has access to.

List storage accountsaz storage account list \ --output table thumbnail image 7 captioned List storage accounts List storage accounts

List blobsaz storage blob list \ --container-name <container-name> \ --account-name <storage-account-name> \ --auth-mode login thumbnail image 8 captioned List blobs List blobs

Download blobaz storage blob download \ --name <blob-name> \ --file "/path/to/file.txt" \ --container-name <container-name> \ --account-name <storage-account-name> \ --auth-mode login thumbnail image 9 captioned Download blob with Azure CLI Download blob with Azure CLI

Delete blobaz storage blob delete \ --name <blob-name> \ --container-name <container-name> \ --account-name <storage-account-name> \ --auth-mode login thumbnail image 10 captioned Delete blob with Azure CLI Delete blob with Azure CLI

Upload blobaz storage blob upload \ --name <blob-name> \ --file "/path/to/file.txt" \ --container-name <container-name> \ --account-name <storage-account-name> \ --auth-mode login thumbnail image 11 captioned Upload blob with Azure CLI Upload blob with Azure CLI

Post Views: 1,066