Azure: Least Privilege Access Setup
Learn how to set up Azure RBAC and SAS tokens with minimal permissions for secure Azure Blob Storage access with Cloney.
Overview
When connecting your Azure Blob Storage containers to Cloney for data migration, it's essential to follow the principle of least privilege. This guide walks you through creating access credentials with only the permissions necessary for Cloney to read from or write to your storage containers.
Use SAS tokens with limited permissions and expiration dates. Avoid using full access keys when possible.
Prerequisites
- An Azure account with Owner or Contributor access to the storage account
- An Azure Storage Account with Blob containers
- The name of the container(s) you want to connect
- Knowledge of whether you need read-only (source) or write (destination) access
Option 1: Using Access Keys (Simple)
The simplest method is using storage account access keys:
- Sign in to the Azure Portal
- Navigate to your Storage Account
- In the left menu, under Security + networking, click Access keys
- Click Show next to key1 or key2
- Copy the Storage account name and Key
Access keys provide full access to the entire storage account. For better security, use SAS tokens (Option 2) with limited permissions.
Option 2: Using SAS Tokens (Recommended)
Shared Access Signatures (SAS) provide granular, time-limited access:
- In the Azure Portal, navigate to your Storage Account
- Go to Containers and select your target container
- Click Shared access tokens in the left menu
- Configure the SAS token settings (see below for recommended permissions)
- Set an appropriate Expiry date
- Click Generate SAS token and URL
- Copy the Blob SAS token
SAS Token Permissions for Source (Read)
For source containers (reading data), enable these permissions:
| Permission | Required | Purpose |
|---|---|---|
Read | Yes | Read blob content |
List | Yes | List blobs in container |
Write | No | Not needed for source |
Delete | No | Not needed for source |
Create | No | Not needed for source |
SAS Token Permissions for Destination (Write)
For destination containers (writing data), enable these permissions:
| Permission | Required | Purpose |
|---|---|---|
Read | Yes | Verify uploaded data |
List | Yes | List existing blobs |
Write | Yes | Upload blob content |
Delete | Optional | Required for overwrite operations |
Create | Yes | Create new blobs |
Option 3: Using Azure RBAC (Enterprise)
For enterprise scenarios, use Azure RBAC with a service principal:
- Create an Azure AD application registration
- Create a service principal for the application
- Assign the appropriate role to the service principal:
- Source:
Storage Blob Data Reader - Destination:
Storage Blob Data Contributor
- Source:
- Generate a client secret for the service principal
# For source (read-only) az role assignment create \ --assignee <service-principal-id> \ --role "Storage Blob Data Reader" \ --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<account>/blobServices/default/containers/<container> # For destination (write) az role assignment create \ --assignee <service-principal-id> \ --role "Storage Blob Data Contributor" \ --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<account>/blobServices/default/containers/<container>
Using Credentials in Cloney
When configuring Azure in Cloney, you'll need:
- Storage Account Name: Your Azure storage account name
- Access Key or SAS Token: Either the full access key or a SAS token
- Container Name: The name of your blob container
You can now use these credentials in Cloney to connect your Azure Blob Storage container securely.
Ready to Start Your Migration?
Create your Cloney account and begin migrating your data securely today.