azureazure-blob-storageazure-managed-identityazure-data-lake-gen2azure-sdk-for-java

How to use managed identity to connect Azure blob storage account and to manage container ACL using azure SDK for Java


I'm connecting the Storage account using a connection string and access keys. For coding, I use the Azure SDK for Java.

Now, instead of ConnectionString, I must use managed identity to connect to the storage account and to manage its ACL.

DataLakeServiceClientBuilder builder = new DataLakeServiceClientBuilder();
builder.credential(getManagedIdentity()); 
builder.endpoint(<storage account end point>); 

The managed identity has the Storage account contributor role, Storage account blob data owner role.

I am not using any SharedCredential, but I am gettingĀ the following error.

Signature did not match , you can compare the String to sign in with the one genreated by sdk

So, is there another role necessary to connect storage accounts and control blob ACLs using managed identity?


Solution

  • Signature did not match , you can compare the String to sign in with the one genreated by sdk

    The error may be an issue with the signature. Make sure the managed identity has the necessary permissions to access the storage account and that the endpoint you are using is valid by verifying again.

    How to use managed identity to connect Azure blob storage account and to manage container ACL using azure SDK for Java?

    You can use the code below to access the storage account and manage the ACL with managed identity using azure java SDK.

    Here is the MS-Document to authenticate using user-assigned managed identity with storage account and I tried the same thing assigning Storage blob data owner to managed identity to access all directories and files in the account.

    Code:

     String endpoint = "https://xxxx.dfs.core.windows.net";
     String fileSystemName = "xxx";
    
          
     DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().managedIdentityClientId("0faxxxx9").build();
     DataLakeFileSystemClient fileSystemClient = new DataLakeFileSystemClientBuilder()
                .credential(defaultCredential)
                .endpoint(endpoint)
                .fileSystemName(fileSystemName)
                .buildClient();
    
     DataLakeDirectoryClient directoryClient = fileSystemClient.getDirectoryClient("xx");
        
              PathAccessControl directoryAccessControl = directoryClient.getAccessControl();
        
              List<PathAccessControlEntry> pathPermissions = directoryAccessControl.getAccessControlList();
             
              System.out.println(PathAccessControlEntry.serializeList(pathPermissions));
                   
              RolePermissions groupPermission = new RolePermissions();
              groupPermission.setExecutePermission(true).setReadPermission(true);
        
              RolePermissions ownerPermission = new RolePermissions();
              ownerPermission.setExecutePermission(true).setReadPermission(true).setWritePermission(true);
        
              RolePermissions otherPermission = new RolePermissions();
              otherPermission.setReadPermission(true).setWritePermission(true);
        
              PathPermissions permissions = new PathPermissions();
        
              permissions.setGroup(groupPermission);
              permissions.setOwner(ownerPermission);
              permissions.setOther(otherPermission);
        
              directoryClient.setPermissions(permissions, null, null);
        
              pathPermissions = directoryClient.getAccessControl().getAccessControlList();
           
              System.out.println(PathAccessControlEntry.serializeList(pathPermissions));
    

    The above uses managed identity to retrieve a DataLakeDirectoryClient object for a specific directory within a file system and to authenticate with Azure Active Directory (AD). The modified access control list is then retrieved using the getAccessControl function, and new permissions are set for the directory using the setPermissions method.

    Output:

    user::rwx,group::r-x,other::r--
    user::rwx,group::r-x,other::rw-
    

    Portal:

    enter image description here

    Reference:

    Use Java to manage ACLs in Azure Data Lake Storage Gen2 - Azure Storage | Microsoft Learn