azure-sdk-for-python
azure-sdk-for-python copied to clipboard
Azure
Documentation: missing code sample for azure-mgmt-storage without public access and with IP restrictions
- Package Name: azure-mgmt-storage
- Package Version: Not relevant
- Operating System: Not relevant
- Python Version: Not relevant
Describe the bug While there is a lot of documentation to use azure storage and python, it does not seem any code examples include basic security features, namely disabling public access and implementing IP network rules. Documentation with sample code should be available
https://learn.microsoft.com/en-us/azure/developer/python/sdk/examples/azure-sdk-example-storage?tabs=cmd https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python?tabs=managed-identity%2Croles-azure-portal%2Csign-in-azure-cli https://learn.microsoft.com/en-us/python/api/azure-storage-blob/azure.storage.blob?view=azure-python#azure-storage-blob-generate-blob-sas https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/storage/azure-storage-blob/samples/blob_samples_authentication.py#L110
To Reproduce
poller = storage_client.storage_accounts.begin_create(
RESOURCE_GROUP_NAME,
STORAGE_ACCOUNT_NAME,
{
"location": LOCATION,
"kind": "StorageV2",
"sku": {"name": "Standard_LRS"},
"tags": {"environment": "dev"},
"network_rule_set": {
# https://learn.microsoft.com/en-us/python/api/azure-mgmt-storage/azure.mgmt.storage.v2020_08_01_preview.models.iprule?view=azure-python
# https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/storage/azure-mgmt-storage/azure/mgmt/storage/v2022_09_01/models/_models_py3.py#L3130
# FIXME!
# TypeError: IPRule.__init__() takes 1 positional argument but 2 were given
"ip_rules": [
# IPRule({"ip_address_or_range": "x.y.z.z", "action": "allow"})
IPRule(serialize({"ip_address_or_range": "x.y.z.z", "action": "allow"}))
],
"virtual_network_rules": [],
"bypass": "AzureServices",
"default_action": "Deny",
},
"enable_https_traffic_only": True,
# https://learn.microsoft.com/en-us/python/api/azure-mgmt-storage/azure.mgmt.storage.v2018_07_01.models.publicaccess?view=azure-python
# FIXME! not working
"public_access": False,
},
)
public_access does not seem to take boolean value. IPrule() seems to use some serialization function but unsure on exact syntax.
Expected behavior Documentation like above should have code examples to implement security features. Ideally those should be default, else people will copy/paste insecure setup code.
Thank you for your feedback. This has been routed to the support team for assistance.
You can try to use the following code to solve your problem: https://github.com/Azure-Samples/azure-samples-python-management/blob/main/samples/storage/manage_storage_account_public_access.py
Hi @juju4. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.
Thanks! Great!
/unresolve Settings works fine but when using sas url with azcopy, it fails when network ip restrictions are set even if source ip is allowed. it works when default action is allowed.
Would you have an example including the setup of diagnostic logs of the storage account to log analytics? that would help to debug as it seems azure policy settings is taking a bit before doing it.
Thanks a lot.
Settings works fine but when using sas url with azcopy, it fails when network ip restrictions are set even if source ip is allowed. it works when default action is allowed.
@juju4 Could you please share the failing request ID from the error message while using azcopy ? So that I can look at our backend logs for the cause of the failure ?
Also if you would like to setup the storage diagnostic logs with Azure Monitor (Send to LogAnalytics) follow this article.
Two examples ending with AuthorizationFailure RequestId:0c2cda2e-e01e-003a-5a1f-169d66000000 RequestId:6826b9ee-101e-0026-7920-1682a5000000
On diagnostics settings, I know how to do it in portal. looking to do it in python in same script. normally azure policy should take care of it but coming too late for one-time usage resource. https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/monitor/azure-mgmt-monitor/tests/disable_test_cli_mgmt_monitor.py may be the way.
@juju4 I looked at the backend logs and identified the cause of the issue. I can share the details with you over email (privately) instead of posting the details publicly here on GitHub. Could you please send an email to navba [@] microsoft . (dot) com ?
@juju4 I wanted to do quick follow-up to check if you had a chance to look at my above comment. Please let us know if you had any updates on this. Awaiting your reply.
@juju4 I didn't receive any emails from you yet. If you need any further assistance on this issue, please send an email to navba [@] microsoft . (dot) so that I could share my findings with you for the above request IDs ? Awaiting your reply.
@juju4 Thanks for your email. I have shared the findings with you over email. Awaiting your reply.
Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!
Hi @juju4. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.
Hi @juju4, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.