Using Managed Identity to Connect to Blob Storage

In a previous post, we discussed how to use managed identities to connect to Azure Key Vault. In this post, we are going to focus on how we can use managed identifies to connect to Azure Blob Storage using Azure Logic Apps (Standard).

Managed identities allow for trust between different Azure services. The benefit for Azure Logic Apps is that it doesn’t require us to maintain secrets or connection strings to connect to these different services.
Not every service supports managed identities. As you can see below, Azure Blob storage happens to be one of the services that does support it within Azure Logic Apps (Standard).

With our Azure Logic App (Standard) instance provisioned, we need to enable our managed identity. We can do so by clicking Identity in left navigation of our Logic App (Standard) instance. From there, we need to set Status to On. After those steps have been completed, we need to click on the Azure role assignments button.

Select the applicable Subscription and then click on Add role assignment.

We now need to assign a Scope of Storage, select our Subscription, select our Storage Account and the appropriate Role. I have chosen the Storage Blob Data Contributor role which allows me to read and write data to the storage account but not manage it. By configuring this role assignment, our logic app will now be listed a user of this service and the appropriate permissions applied. There is no further access we need to provide within the Blob storage service.

To use our managed identity within our logic app, we need to add the Create blob action from the Azure tab.

We will now get prompted to create a connection. We can do so by providing a Name and then our Authentication type of Logic Apps Managed Identity.

Next, we will configure our action by providing a Storage account name, Folder path, Blob name and Blob content.

With our action configured, we can add additional logic to our workflow and then run it. When we do run our logic app, we will discover that our message is successfully sent to our Blob storage container.

Conclusion

Not only are manage identities more convenient than typical connection methods, but they are also more secure. No longer do you need to worry about someone copying a SAS secret and trying to use it in an unauthorized manner. For these reasons, it is a good idea to use managed identities when you can.