Using the Az module for Powershell I need to put a message onto an Azure Storage queue. Proper RBAC permissions are assigned. I can do this just fine with the Azure CLI (which at the moment I cannot use on my target system unfortunately).
function azLoginWithServicePrincipal {
$tid = "tenant-id-guid"
$appId = "app-id-guid"
$thumb = "cert-thumbprint"
Connect-AzAccount -ServicePrincipal -TenantId $tid -CertificateThumbprint $thumb -ApplicationId $appId
}
function enqueueMessage {
param([string]$rg, [string]$acc, [string]$queue, [object]$msg)
$json = [Microsoft.Azure.Storage.Queue.CloudQueueMessage]::new(($msg | ConvertTo-Json))
$storageAccount = Get-AzStorageAccount -Name $acc -ResourceGroupName $rg
$q = Get-AzStorageQueue –Name $queue –Context $storageAccount.Context
$q.CloudQueue.AddMessageAsync($json)
}
azLoginWithServicePrincipal
$data = @{ data= "some-text-data"}
enqueueMessage -rg "my-rg" -acc "my-storage-account" -queue "my-queue-name" -msg $data
Here's the output. You can see that there seems to be a permissions mismatch. ListKeys on that storage account is required. But why, this seems excessive. Moreover, AccountKeys have been disabled for that storage account, there is RBAC-only. Moreover, using the Azure CLI (and simpler syntax) that same security principal can add to the queue no problemo.
Get-AzStorageQueue: The client 'client-id-guid' with object id 'object-id-guid' does not have authorization to perform action
'Microsoft.Storage/storageAccounts/listKeys/action' over scope
'/subscriptions/subscription-id-guid/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/my-storage-account' or the scope is
invalid. If access was recently granted, please refresh your credentials.
• I tried to execute the same commands as stated by you in the question in my subscription where I have ‘Contributor’ Azure role assignment in my subscription and only a ‘User’ Azure AD role. I created a storage account and a storage queue accordingly in my resource group and created an application registration to be used as a service principal for logging in to the storage queue and adding a message to the queue.
Please find the below snapshots for your reference: -
According to the above, I was successfully able to add messages to the queue storage as I have the below permissions that are necessarily required for this purpose: -
Also, you should have one of the below Azure roles assigned to your ID for this purpose: -
Therefore, when a storage account is locked with an Azure Resource Manager ‘ReadOnly’ lock, the ‘List Keys’ operation is not permitted for that storage account. List Keys is a ‘POST’ operation, and all ‘POST’ operations are prevented when a ‘ReadOnly’ lock is configured for the account. For this reason, when the account is locked with a ReadOnly lock, users must use Azure AD credentials to access blob data in the portal.
For more information regarding this, please refer to the links below: -
https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#use-the-account-access-key