Use a Windows VM system-assigned managed identity to access Azure Storage via a SAS credential

Prerequisites

Assigning TLS1.2 to Storage Account and VM
Adding the VM to the firewall subnet inclusions
Create a System Managed Identity and assign to VM
Give that System Managed Identity RBAC over the storage account

Azure PowerShell Modules

1
2
3
4
5
6
7


 Install-Module AzureRM 

 Install-Module Azure -AllowClobber 

 Install-Module Az -AllowClobber

#AllowClobber flag removes the overlap between AzureRM, Az, and Azure PS Modules’ conflicting command names. 

PowerShell Script

TLS1.2 can be set it the portal settings as well – following command must have Admin privs.

`1`	`[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12`

The purpose of these self-assigned link-local addresses is to facilitate communication with other hosts within the subnet even in the absence of external address configuration (via manual input or DHCP). Unlike in IPv6, implementation of IPv4 link-local addresses is recommended only in the absence of a normal, routable address.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -Method GET -Headers @{Metadata="true"}

$content = $response.Content | ConvertFrom-Json

$ArmToken = $content.access_token


$params = @{canonicalizedResource="/<container name>/<storage account>/<blob name>";signedResource="c";signedPermission="rcw";signedProtocol="https";signedExpiry="<signed expiry>"}

$jsonParams = $params | ConvertTo-Json


$sasResponse = Invoke-WebRequest -Uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resource group> /providers/Microsoft.Storage/storageAccounts/<storage account>/listServiceSas/?api-version=2017-06-01 -Method POST -Body $jsonParams -Headers @{Authorization="Bearer $ArmToken"}


$sasContent = $sasResponse.Content | ConvertFrom-Json

$sasCred = $sasContent.serviceSasToken



$ctx = New-AzStorageContext -StorageAccountName a3dvcseburpstr01 -SasToken $sasCred

The following function uploads a blank test file to the blob container

1

Set-AzStorageBlobContent -File test.txt -Container <container name> -Blob <blob name>-Context $ctx

Terminology

SAS Credential: A Service SAS provides the ability to grant limited access to objects in a storage account, for limited time and a specific service (in our case, the blob service), without exposing an account access key.

PowerShell Module: A module is a package that contains PowerShell members, such as cmdlets, providers, functions, workflows, variables, and aliases. The members of this package can be implemented in a PowerShell script, a compiled DLL, or a combination of both. These files are usually grouped together in a single directory.

Managed Identities: On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. This also helps accessing Azure Key Vault where developers can store credentials in a secure manner. Managed identities for Azure resources solve this problem by providing Azure services with an automatically managed identity in Azure AD.

TLS1.2: Why use TLS 1.2 with Configuration Manager?

TLS 1.2 is more secure than the previous cryptographic protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. Essentially, TLS 1.2 keeps data being transferred across the network more secure.