Open Closed

Configuring Azure Blob Storage using Managed Identity #10058

User avatar
0
damion@saas-e-solutions.com created

we are currently storing blobs in azure storage but using storage access keys and would like to move to use the application service identity and RBAC for a more security implementation. Do you have any guidance?

Go to accepted answer
4 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent
    1. Solution To move ABP’s Azure Blob storage integration from account keys to Managed Identity (MSI) with Azure AD RBAC, configure the ABP Azure Blob provider to authenticate via DefaultAzureCredential and grant your App Service identity the proper RBAC role on the storage account.

    Steps:

    • Install and enable the Azure Blob provider in your ABP module
    using Volo.Abp.Modularity;
  using Volo.Abp.BlobStoring;
  using Volo.Abp.BlobStoring.Azure;

  [DependsOn(typeof(AbpBlobStoringAzureModule))]
  public class MyProjectDomainModule : AbpModule
  {
      public override void ConfigureServices(ServiceConfigurationContext context)
      {
          var configuration = context.Services.GetConfiguration();

          Configure<AbpBlobStoringOptions>(options =>
          {
              options.Containers.ConfigureDefault(container =>
              {
                  container.UseAzure(azure =>
                  {
                      // Use AAD/MSI instead of connection string:
                      azure.AccountName = configuration["Blob:AccountName"];      // e.g. mystorageacct
                      azure.ContainerName = configuration["Blob:ContainerName"];  // e.g. app-blobs
                      azure.CreateContainerIfNotExists = true;

                      // When no ConnectionString is provided, the provider will use Azure SDK credentials.
                      // With DefaultAzureCredential in App Service, MSI will be used automatically.
                      // Optionally, you can set an explicit endpoint (useful for national clouds):
                      // azure.BlobServiceEndpoint = $"https://{azure.AccountName}.blob.core.windows.net";
                  });
              });
          });
      }
  }

    App settings (no keys):

    "Blob": {
    "AccountName": "mystorageacct",
    "ContainerName": "app-blobs"
  }

    • Assign RBAC to the Managed Identity of your App Service

      • In Azure Portal, enable a System-assigned Managed Identity on your App Service.
      • On the Storage Account -> Access Control (IAM) -> Add role assignment:
        • Role: Storage Blob Data Contributor (minimum for read/write) or Storage Blob Data Owner if you need container management.
        • Assign to: Your App Service’s managed identity.
      • Wait a few minutes for propagation.

    • Ensure the Azure SDK uses Managed Identity at runtime

      • The ABP Azure provider (Volo.Abp.BlobStoring.Azure) builds the Azure Blob client with Azure SDK. If you omit ConnectionString and provide AccountName (and optionally BlobServiceEndpoint), the Azure SDK will rely on DefaultAzureCredential. In App Service, DefaultAzureCredential picks up MSI automatically. No code change is needed in your application layer that uses IBlobContainer.

    • Verify locally with developer credentials (optional)

      • Locally, DefaultAzureCredential will try environment variables, Visual Studio/VS Code/Azure CLI login. For local dev using AAD, sign in with Azure CLI:
        • az login
        • Ensure your dev principal has access to the storage account (e.g., Storage Blob Data Contributor) to test without keys.

    • Using named containers (optional)

    [BlobContainerName("profile-pictures")]
  public class ProfilePictureContainer {}

  Configure<AbpBlobStoringOptions>(options =>
  {
      options.Containers.Configure<ProfilePictureContainer>(container =>
      {
          container.UseAzure(azure =>
          {
              azure.AccountName = configuration["Blob:AccountName"];
              azure.ContainerName = "profile-pictures";
              azure.CreateContainerIfNotExists = true;
          });
      });
  });

    Notes:

    • Do not set azure.ConnectionString when using MSI. Providing a connection string forces key-based auth.
    • If you need to target sovereign clouds, set azure.BlobServiceEndpoint accordingly.
    • Ensure your module includes [DependsOn(typeof(AbpBlobStoringAzureModule))] and Volo.Abp.BlobStoring.Azure package.
    1. Sources
    • ABP Azure Blob provider (installation/configuration entry point):
      • https://abp.io/docs/latest/framework/infrastructure/blob-storing/azure
    • Microsoft: Authorize access to Azure Blob with Azure AD and RBAC (assign roles like Storage Blob Data Contributor):
      • https://learn.microsoft.com/azure/storage/blobs/authorize-access-azure-active-directory
    • Microsoft: Managed identities for Azure resources overview (how App Service MSI is used by DefaultAzureCredential):
      • https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    damion@saas-e-solutions.com created

    what version is accountName available?

  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent
    1. Solution In the ABP Azure Blob Storing provider (Volo.Abp.BlobStoring.Azure), the commonly documented configuration options are ConnectionString, ContainerName, and CreateContainerIfNotExists. The official documentation does not list an AccountName option, and there is no verified ABP doc indicating a specific version that introduces an “AccountName” property for the Azure provider configuration.

    To use Azure AD/Managed Identity with ABP’s Azure Blob provider based on verified guidance:

    • Continue using the provider by omitting ConnectionString and rely on standard Azure SDK patterns only if/when ABP officially supports such configuration in docs or package notes.
    • As of the referenced docs, the supported documented properties are:
      • ConnectionString
      • ContainerName
      • CreateContainerIfNotExists

    If you need AccountName-style configuration, check your installed Volo.Abp.BlobStoring.Azure package’s API surface (e.g., via IntelliSense or source) and release notes. If it’s not present, you must use ConnectionString-based auth per current official docs, or implement a custom blob provider that uses DefaultAzureCredential.

    1. Sources
    • ABP Blob Storing Azure provider options (documented properties):
      • https://abp.io/docs/latest/framework/infrastructure/blob-storing/azure
    • Microsoft guidance on Azure AD/RBAC for Blob Storage:
      • https://learn.microsoft.com/azure/storage/blobs/authorize-access-azure-active-directory
    • Managed identities overview:
      • https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    damion@saas-e-solutions.com created

    Can someone please confirm this is available?

Assignee
No one
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.1.0-preview. Updated on October 30, 2025, 06:33