I have a web app that should be able to read from a blob storage and write to it. The application is a daemon application, so there is no user signed-in. After reading Azure docs I understand that I should register a client application in Azure AD and use client credentials flow. So authentication flow is the following: the app acquires an access token from the Azure AD OAuth endpoint and uses it in requests to the blob storage API.
So far I registered a client application in Azure AD but got stuck trying to grant the right permissions. After following these steps "Manage -> API permissions -> Add a permissions -> Azure Storage" I cannot activate the Application Permissions button (see the screenshot). The Delegated permissions button is active but if I'm not mistaken it doesn't suit me because there is no user signed-in to the application.
What am I doing wrong? Are there any other ways to grant the right permissions?
CodePudding user response:
You don't need to grant permissions in the app registration in this scenario. You need to grant e.g. Storage Blob Data Contributor role in Azure RBAC to the application. For example, if you want the app to be able to read/write blobs in any container in a Storage account, you can assign this role on the Storage account (Access control (IAM) tab).