Testing connection to Azure Blob Storage with Managed Identity while sipping on a classic mojito

Looking for a secure way to connect to Azure Blob Storage with your Web API, while hosting your application in Azure Cloud? Managed Identity is by far the easiest way to connect and ramp up your security when saving or getting files from/to the Blob storage. This post already assumes you are familiar with Azure, C# and .Net framework.

How does it work?

For obtaining an access token from Azure we must make an HTTP request to identity azure service accessible by a VM with enabled Identity.

To enable Identity on your VM in Azure, go to Virtual Machines, select your VM, and click on Identity tab in the menu. The Identity page will display a toggle button with status and an object id indicating that Identity is enabled or not. To enable it, simply click on the ON toggle button and save the work.

Now that the Identity is enabled for your VM, you can add the VM to the list of roles for the Storage Account. Go to your Storage Accounts, select your Storage, and find Access control (IAM) tab in the menu. The IAM page will display and you can click on Add button. Adding role will require a role name, in this case, we need Storage Blob Data Contributor role. Finally, search by VM name, select your VM from the list and click save button.

How to connect?

Let's dive into coding and show how to obtain an access token from Azure Identity service.

In this call example, we’ll use HttpClient with above-mentioned URL, and parse out the response from the service with Newtonsoft.Json.

This call will determine whether the setup we did with VM Identity and the Storage role is working, and will return an access token if it does. The beauty of this Identity service is that there’s no need to write extra code for handshake or introduction of our app to the service, we just call it, get the token and move on. Which brings me to the second part of this effort to confirm that we can successfully connect to Azure Storage. As I mentioned at the beginning of the post, let’s use WindowsAzure.Storage library to establish this connection.

To describe in sequence what happens in this code line by line, I’ll start with TokenCredential used to consume the access token we got from the previous function. This is just a wrapper for the access token which together will be used by the StorageCredentials class.

While the Blob is created by CloudBlockBlob using the blob URL and container name together with a new file we want to create, the StorageCredentials is needed to make this connection secure. As soon as the upload function is called, the library will communicate with Azure and pass the token to the Storage service. The result is a successfully uploaded file responded with the new URL.

Why is this necessary?

Whether you are developing an app with features for users to upload images or other files as part of the workflow, or you have an API that’s processing a vast amount of files, most likely you will resolve to use a Storage service with your Cloud provider to make this effort easier and more secure. Not using SQL server with network drives to keep track of files on servers. Azure did a good job with their offering of Storage for Blobs, Files, Tables, and Queues. Any established business should care about the security of their data in this day and age. When developing large systems that might need migration in the future, storing files in Cloud and tying down the security will allow easier separation of concerns when migrating to different mediums.

If your API is the only way to access the data in storage you will need a tool to make sure the connection is working from your VMs. So for those who are not developers, here is a little console application to be used for testing in these situations.

Get the console application from GitHub.

Download and open the project in Visual Studio.

To use this tool you will need to set the appSettings keys to match your information in app.config file:

Build and run the project, and you will get a console running.

For option 1. you will need to provide a path to a file. If successful the console will display a message and the URL of the new file uploaded.

If the connection is not successful the message will display the reason for failure, in case there are some other network related issues. While the “unable to connect” message is mostly hinting that there are no network failures, simply means the connection is restricted.

When downloaded you will see the files below.

In conclusion, this console app helped me and my coworkers to setup Managed Identity in VMs on Azure, and I hope somebody will find this post useful and encouraging to use Azure Blob Storage.

Cheers, and keep on sipping mojitos.

Related posts:

Tragedies are nothing new in American history and even the world as whole, especially when it comes to violence involving gun-related incidents. With the recent events and rise in gun violence…

The COVID-19 pandemic wreaked havoc on the restaurant industry in general. Still, some businesses are coming out stronger than before. Whether because they found their niche with a new customer base…

Most of you have already created server-less functions which generates dynamic IP address(es). Mostly all this happens at the backend and you don’t have to worry about it. Trouble begins when you…