Prevent app registration creating storage account container or delete blobs

Question

I have been writing C# application where using client ID and client secret, I am trying to upload a blob to specific container on storage account. Requriement is client should only be able to upload blob to specific container and no other operation should be allowed such as creating container, deleting container, deleting blobs etc. Only one container access with List and Create needs to be given to app registration. Could anyone share setp by step approach.

I have been trying to see any policies can be defined but still could ot find way to achieve this. There is little way to control container level access on Microsoft documentation so could not achive this. Also tried looking for defining conditions in Role assignments and policies.

Answer 1

The requirement is that the client should only be able to upload blobs to a specific container and no other operations should be allowed, such as creating containers, deleting containers, or deleting blobs.

You can achieve this by creating an RBAC role assignment for the app registration at the container level, granting it the Storage Blob Data Contributor role. This will allow the app registration to perform blob-related operations on the container.

Here, I first assigned the Storage Blob Data Contributor role for the app registration to the particular container in my storage account.

Portal:

Now, using the code below, I can upload to the specific container only (test).

Code:

using Azure.Core;
using Azure.Identity;
using Azure.Storage.Blobs;

namespace BlobUploadDemo
{
    class Program
    {
        static async Task Main(string[] args)
        {
          
            string storageAccountName = "azureteststoragetemp";
            string containerName = "test";
            string blobName = "test.png";
            string clientId = "3xxxx";
            string clientSecret = "6tE8Q~G.Smn0V2ZHrQLDeDbziqayiLNKJ6uICbMo";
            string tenantId = "xxx";

            TokenCredential tokenCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
            BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri($"https://{storageAccountName}.blob.core.windows.net"), tokenCredential);

            BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);
            await containerClient.CreateIfNotExistsAsync();

            BlobClient blobClient = containerClient.GetBlobClient(blobName);

            using (FileStream fileStream = File.OpenRead("C:\\Users\xyz\sample.png"))
            {
                await blobClient.UploadAsync(fileStream, true);
            }

            Console.WriteLine("Blob uploaded successfully!");
        }
    }
}

Output:

Now, I changed my container name to test1 and I got an error mentioning:

Azure.RequestFailedException: 'This request is not authorized to perform this operation.
RequestId:3256d51c-101e-008b-148c-7b13c9000000
Time:2024-03-21T12:37:50.5896524Z
Status: 403 (This request is not authorized to perform this operation.

Error:

Update:

Here you can refer this link-1 and link-2 to custom access to Azure Blob Storage using Azure role assignment conditions.