Exam AZ-104 topic 3 question 4 discussion

Correct Answer: Box 1: Access Control (IAM) Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the number of secrets used, so Access keys is not ideal. Box 2: Shared access signatures (SAS) We need temp access for App2, so we need to use SAS. Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth

I think App1 should access storage1 over IAM with managed identity. The requirement is minimize the number of secrets used...

Box 1: Access Control (IAM) Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the number of secrets used, so Access keys is not ideal. Box 2: Shared access signatures (SAS) We need temp access for App2, so we need to use SAS. A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. With a SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters. Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview https://docs.microsoft.com/en-us/azure/storage/common/storage-auth

Correct Answer: BOX 1:Access Conntrol(IAM) pp1 has a managed identity, and you can assign a Storage Blob Data Reader role to the managed identity of App1 in the access control (IAM) settings for storage1. This approach eliminates the need for secrets and allows App1 to read blobs securely Box 2: Shared access siganture(SAS) Use a Shared access signature (SAS). This allows you to create a time-limited access token that grants read permissions to App2 for the next 30 days.

App1: Access control (IAM) App2: Shared access signatures (SAS)

- Access keys (IAM) - shared access signatures (SAS)

To ensure that App1 and App2 can read blobs from storage1 while meeting the given requirements, you would use the following: 1. **App1**: Since App1 uses a managed identity and there's no mention of time restrictions for its access, you should grant its managed identity the necessary permissions using Azure RBAC (Role-Based Access Control). Thus, for App1, the answer would be: - **Access control (IAM)**: You should assign the managed identity of App1 the necessary role (e.g., "Storage Blob Data Reader") at the appropriate scope. 2. **App2**: For App2, it's specified that the access should only last for the next 30 days. Shared Access Signatures (SAS) are best for providing time-limited access to resources in Azure Storage. Thus, for App2, the answer would be: - **Shared access signatures (SAS)**: Generate an SAS token with read permissions on the blob service and set its expiration to 30 days in the future. Summary: - App1: Access control (IAM) - App2: Shared access signatures (SAS)

It would be immensely appreciated if someone with "Contributor Access" could kindly share all the questions, answers, and associated discussions in a PDF format. Your invaluable support holds immense significance for me, and I earnestly seek your assistance in this journey. Any help extended is deeply appreciated.

Since App1 uses managed identity, it means it can be given access through IAM. Doing it through Access Keys would make use of additional secret. Answer to first should be IAM.

IAM & SAS. IAM because of managed identity. SAS because of time limited access.

For App1, you should configure Access control (IAM) in storage1. This will allow you to grant the managed identity used by App1 the necessary permissions to read blobs from storage1 using role-based access control (RBAC). This approach minimizes the number of secrets used, as it does not require the use of access keys or shared access signatures. For App2, you should configure Shared access signatures (SAS) in storage1. This will allow you to create a shared access signature with an expiry time of 30 days, which will grant App2 temporary read access to blobs in storage1. After 30 days, the shared access signature will expire and App2 will no longer be able to read from storage1.

Box 1: Access Control (IAM) Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the number of secrets used, so Access keys is not ideal. Box 2: Shared access signatures (SAS) We need temp access for App2, so we need to use SAS. A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. With a SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters. Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview https://docs.microsoft.com/en-us/azure/storage/common/storage-auth

Came in exams on 21/7/2023. I selected Access control and SAS

I used free version access for this site and it helped me pass the exam. Some questions that I had on the exams, I took the exam more than once, are not available under the free tier access, but 80% of the questions came from here. I do recommend investing a bit of money and getting full access to this site. I didn't memorise answers but analysed them and studied as Microsoft does tweak them a bit. This Q was on the exam.

Box 1 : IAM - you want least amount of secrets used Box 2 : SAS - you want this because you are able to set a duration

Came in my exam today 17/05/23

Expanding further on mlantonis answer: A delegated SAS allows creating a SAS on a managed identity for App2 - so we are still using the MI and further scoping the access with a time limit.