Anser is A:
An Azure role assignment condition is an optional check that you can add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-portal
Role assignment conditions allow you to apply conditions to role-based access control (RBAC) roles. In this case, you can use blob index tags as a condition to restrict access to specific blobs.
Here are why the other options aren't suitable:
Stored access policy is used to manage shared access signatures (SAS) over a long period but does not filter access based on blob index tags.
Just-in-time (JIT) VM access is for managing virtual machine access and does not apply to Azure Storage.
Shared access signature (SAS) can provide limited-time access to blobs but doesn't inherently work with blob index tags for filtering.
Therefore, the correct answer is:
A. a role assignment condition.
chatGpt said:
To ensure that users can view only specific blobs based on blob index tags in an Azure Storage account, you should include Option D: a shared access signature (SAS) in the solution.
A role assignment condition can `Restrict access to blobs based on a blob index tag`
Ref: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-portal
The answer is D.
A. role assignment condition: This would control access at the container level, not individual blobs. You need more granular control for specific blobs based on tags.
B. stored access policy: This can be used to define access levels for a container or blob, but it wouldn't allow you to filter based on tags dynamically.
C. just-in-time (JIT) VM access: This is used for managing access to virtual machines, not blob storage.
D. shared access signature (SAS): This provides temporary access to blobs with granular control over permissions. You can generate SAS tokens with conditions based on blob index tags, allowing users to access only the relevant blobs.
Answer: A - Role assignment condition.
Stored access policy is a setup for SAS token. But since we don't mention here how users will access blobs, this means it should work both for SAS and AAD, which automatically removes option B & D.
Option B is also invalid because:
A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Answer: D
Finding data using blob index tags can be performed by the Storage Blob Data Owner and by anyone with a Shared Access Signature that has permission to find blobs by tags (the f SAS permission).
In addition, RBAC users with the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action permission can perform this operation.
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal#finding-data-using-blob-index-tags
Remember the principle of least privilege roles/access.
Here is the whole procedure to do it via role assignment condition. Answer is A. This is a fairly new feature called ABAC (Attribute-based access control).
https://learningbydoing.cloud/blog/control-access-to-azure-storage-blobs-with-abac/
Answer - D
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal
Important
Setting blob index tags can be performed by the Storage Blob Data Owner and by anyone with a Shared Access Signature that has permission to access the blob's tags (the t SAS permission).
Permissions and authorization
You can authorize access to blob index tags using one of the following approaches:
Using Azure role-based access control (Azure RBAC) to grant permissions to a Microsoft Entra security principal. Use Microsoft Entra ID for superior security and ease of use. For more information about using Microsoft Entra ID with blob operations, see Authorize access to data in Azure Storage.
Using a shared access signature (SAS) to delegate access to blob index. For more information about shared access signatures, see Grant limited access to Azure Storage resources using shared access signatures (SAS).
Using the account access keys to authorize operations with Shared Key. For more information, see Authorize with Shared Key.
Role Assignment Condition
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-examples?tabs=portal-visual-editor#example-read-blobs-with-a-blob-index-tag
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Siraf
Highly Voted 1 year, 3 months agomein17
Highly Voted 1 year, 3 months agoCrypticToast
Most Recent 1 week, 3 days ago117b84e
3 weeks, 6 days agoSeMo0o0o0o
1 month agoSofiaLorean
3 months, 3 weeks agovarinder82
4 months, 3 weeks agotashakori
7 months, 1 week agoWatcharin_start
7 months, 2 weeks agodevops_devops
8 months, 3 weeks agoNickybambi
3 months, 4 weeks agosreemog
9 months, 3 weeks agoXerinzxx
9 months, 3 weeks agoSgtDumitru
10 months, 1 week agorumino
9 months, 2 weeks agoamsioso
10 months, 2 weeks agoAhkhan
10 months, 4 weeks agoPrabodhM
11 months agoPrabodhM
11 months agoPrabodhM
11 months agojosola
10 months, 3 weeks agoYesPlease
1 year ago