Granting access to your Azure Object Storage Source

This article will describe the steps for a Provider to configure Bobsled access to an Azure Blob Storage container to be used as a source in Bobsled. You will:

• Consent to the Bobsled Azure Application 
• Assign roles to Bobsled Azure Application on Source account and container

Prerequisites 

To configure Bobsled access to the container, your account must have permissions to consent to applications and assign roles in Azure: 

• The Bobsled Azure Application requests the minimal permissions and by default does not require admin consent, meaning all users of an organization’s tenant should be enabled to register the Bobsled Azure Application. However, please note that a user's ability to consent to our application may be subject to the organization’s tenant policies and configurations. If a permissions error occurs, please contact your Azure AD administrator. 
• An account with Owner privileges at the appropriate level (subscription, resource group, or storage account) can assign an application with roles.

(1) Consent to Bobsled Azure Application

To consent to the Bobsled Azure Application, contact an account owner with the appropriate permissions in the Azure tenant in which your source data resides. 

Consent in the UI

To consent to the Bobsled Azure Application within the Bobsled UI, please visit the document Configure an Azure Blob Storage Source. 

Consent programmatically

If you would like to consent to the Bobsled Azure Application programmatically, please run the following script in the Azure CLI:

az ad app permission admin-consent --id <Bobsled App ID>

(2) Assign Bobsled Azure Application Access to Source

Assign roles programmatically 

In the following steps, please replace the fields with the Bobsled Application ID, your subscription, resource group name, storage account and container name. 

To find the Bobsled Application ID in the Bobsled UI, please visitConfigure an Azure Blob Storage Source. 

Step 1: Assign Storage Blob Delegator to storage account level

az role assignment create --assignee {Bobsled App ID} --role "Storage Blob Delegator" --scope "/subscriptions/{subscriptionID}/resourceGroups/{resource group name}/providers/Microsoft.Storage/storageAccounts/{storage account name}"

Step 2: Assign Storage Blob Data Reader to container level

To allow Bobsled to access entire containers:

az role assignment create --assignee {Bobsled App ID} --role "Storage Blob Data Reader" --scope "/subscriptions/{subscriptionID}/resourceGroups/{resource group name}/providers/Microsoft.Storage/storageAccounts/{storage account name}/blobServices/default/containers/{container name}"

To allow Bobsled to access a folder within a container:

Note: The ‘/’ after the folder name is required. 

az role assignment create --assignee {Bobsled App ID} --role "Storage Blob Data Reader" --scope "/subscriptions/{subscriptionID}/resourceGroups/{resource group name}/providers/Microsoft.Storage/storageAccounts/{storage account name}/blobServices/default/containers/{container name}" --condition "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '{container-name}' AND @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith '{folder-name}/'))"

Assign roles using the Azure Portal

In the following steps, you will need the Bobsled Application name. To find the Application name, navigate back to the "Azure Blob Storage Source set up" page outlined in Configure an Azure Blob Storage Source.

Step 1: Assign Storage Blob Delegator to storage account level

1. In the Azure Portal, navigate to “Storage accounts”. Select the storage account in which your source container resides

2. Select Access Control (IAM) > Add role assignment

3. Search for the role “Storage Blob Delegator”. Select the role and press Next. 

4. Under Members, select “User, group, or service principal”

5. Click “+ Select members”. Enter the name of the Bobsled Azure Application

6. Select “Review + assign” to assign role 

Step 2: Assign Storage Blob Data Reader to container level

1. In the Azure Portal, navigate to “Storage accounts”. Select the storage account in which your source container resides

2. Under Data storage, click “containers”. Select your container. 

3. From the sidebar, select “Access Control (IAM)”. Select “Add role assignment”. 

4. Search for the role “Storage Blob Data Reader”. Select the role and press Next. 

5. Under Members, select “User, group, or service principal”

6. Click “Select members”. Enter the name of the Bobsled Azure Application. 

The following steps are applicable only if you would like to limit access to a specific folder within your container

1. Select “conditions”. Set the Editor type to “Code”. 

2. Paste in the following code. Please replace <container-name> and <folder-name> with the correct values. Note that the '/' after the folder name is required.  

( ( !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'}) ) OR ( @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '{container-name}' AND @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith '{folder-name}/' ) )

3. Click Save to save the condition.

4. Select Review + assign to assign role