I'm trying to programmatically set access policies on containers within a storage account. Ideally I'd like to do this using Managed Identity but it looks like it's not support at the moment (see here).

So at present it looks like I need to use the storage account key so the container client can create access policies. This brings me to the main part of my question. Is it best practice to store these keys in key vault and retrieve them using the managed identity or retrieve them directly? Keeping keys in key vault like this is stated as legacy though (or perhaps it's just those specific methods as Azure CLI is legacy as well). So it looks like this has fallen through the cracks somehow in that in 1 place it's stated as legacy but in another it's not supported yet.

If I opt for the direct route, what is the best way to do this? Can I still use the managed identity in this case? Looking here it looks like I can, as it uses Azure Active Directory, which is what I believe backs managed identity.

At the moment it's very confusing how I should programmatically set access policies to a container, but hopefully someone else has come across this need and has got a good example.

CodePudding user response：

If I opt for the direct route, what is the best way to do this?

As you mentioned in the question, Storage Accounts - List Keys is the way to go for fetching access keys for a storage account.

Can I still use the managed identity in this case?

Yes, you most certainly can. Please ensure that your Managed Identity has permissions to perform List Keys operation on the storage account. Owner and Contributor roles definitely have that permission but you can also opt for Storage Account Contributor or Storage Account Key Operator Service Role role if you do not want to assign your Managed Identity more powerful roles like Owner or Contributor.