Anser is A:
An Azure role assignment condition is an optional check that you can add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-portal
The answer is D.
A. role assignment condition: This would control access at the container level, not individual blobs. You need more granular control for specific blobs based on tags.
B. stored access policy: This can be used to define access levels for a container or blob, but it wouldn't allow you to filter based on tags dynamically.
C. just-in-time (JIT) VM access: This is used for managing access to virtual machines, not blob storage.
D. shared access signature (SAS): This provides temporary access to blobs with granular control over permissions. You can generate SAS tokens with conditions based on blob index tags, allowing users to access only the relevant blobs.
D. a shared access signature (SAS)
If your blobs are tagged and you need users to access only certain tags, you create a SAS that includes conditions related to those tags. When the user attempts to access, they match the SAS signature constraints, effectively only viewing blobs with the permitted tags.
On the other hand, Role assignment conditions might offer control at a broader scope and not as precisely at the blob level based on index tags.
D. a shared access signature (SAS)
While role assignment conditions are powerful for broad access management, SAS tokens provide the flexibility and granularity needed to limit access based on blob index tags efficiently.
Role assignment conditions allow you to apply conditions to role-based access control (RBAC) roles. In this case, you can use blob index tags as a condition to restrict access to specific blobs.
Here are why the other options aren't suitable:
Stored access policy is used to manage shared access signatures (SAS) over a long period but does not filter access based on blob index tags.
Just-in-time (JIT) VM access is for managing virtual machine access and does not apply to Azure Storage.
Shared access signature (SAS) can provide limited-time access to blobs but doesn't inherently work with blob index tags for filtering.
Therefore, the correct answer is:
A. a role assignment condition.
chatGpt said:
To ensure that users can view only specific blobs based on blob index tags in an Azure Storage account, you should include Option D: a shared access signature (SAS) in the solution.
A role assignment condition can `Restrict access to blobs based on a blob index tag`
Ref: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-portal
Answer: A - Role assignment condition.
Stored access policy is a setup for SAS token. But since we don't mention here how users will access blobs, this means it should work both for SAS and AAD, which automatically removes option B & D.
Option B is also invalid because:
A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Answer: D
Finding data using blob index tags can be performed by the Storage Blob Data Owner and by anyone with a Shared Access Signature that has permission to find blobs by tags (the f SAS permission).
In addition, RBAC users with the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action permission can perform this operation.
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal#finding-data-using-blob-index-tags
Remember the principle of least privilege roles/access.
Here is the whole procedure to do it via role assignment condition. Answer is A. This is a fairly new feature called ABAC (Attribute-based access control).
https://learningbydoing.cloud/blog/control-access-to-azure-storage-blobs-with-abac/
Answer - D
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal
Important
Setting blob index tags can be performed by the Storage Blob Data Owner and by anyone with a Shared Access Signature that has permission to access the blob's tags (the t SAS permission).
Permissions and authorization
You can authorize access to blob index tags using one of the following approaches:
Using Azure role-based access control (Azure RBAC) to grant permissions to a Microsoft Entra security principal. Use Microsoft Entra ID for superior security and ease of use. For more information about using Microsoft Entra ID with blob operations, see Authorize access to data in Azure Storage.
Using a shared access signature (SAS) to delegate access to blob index. For more information about shared access signatures, see Grant limited access to Azure Storage resources using shared access signatures (SAS).
Using the account access keys to authorize operations with Shared Key. For more information, see Authorize with Shared Key.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Siraf
Highly Voted 1 year, 8 months agosreemog
Highly Voted 1 year, 2 months agoJosh219
Most Recent 1 month, 1 week agoJosh219
1 month, 1 week ago[Removed]
5 months, 1 week ago117b84e
5 months, 3 weeks ago[Removed]
6 months agoSofiaLorean
8 months, 3 weeks agovarinder82
9 months, 3 weeks agotashakori
1 year agoWatcharin_start
1 year agodevops_devops
1 year, 1 month agoNickybambi
8 months, 4 weeks agoXerinzxx
1 year, 2 months agoSgtDumitru
1 year, 3 months agorumino
1 year, 2 months agoamsioso
1 year, 3 months agoAhkhan
1 year, 3 months agoPrabodhM
1 year, 3 months agoPrabodhM
1 year, 3 months agoPrabodhM
1 year, 3 months agojosola
1 year, 3 months ago