To avoid Azure Storage account keys usage and give to user the just enough access that is recommended to use Azure AD authentication and RBAC.
To download or read the blob from Storage Account with Private container, user needs at least “Storage Blob Data Reader” role (even if he is an owner of Storage Account resource)
Azure CLI script example:
subscription_id="00000-0000-0000-0000-00000000" storage_account_name="<storage-account-name>" container_name="<container-name>" blob_path="<blob-name>" output_file_path="<local-file-name>" az login az account set -s $subscription_id az storage blob download --account-name "$storage_account_name" \ --container-name "$container_name" \ --name "$blob_path" \ --file "$output_file_path" \ --auth-mode login
In Linux you have also Python by default and Python is included with Azure CLI installation (with all Azure, Azure AD, Azure Storage Python modules), following Python script can be used to get the similar to Azure CLI result with Device Login:
import adal from azure.storage.blob import ( BlockBlobService, PublicAccess ) from azure.storage.common import ( TokenCredential ) storage_account_name = "<storage-account-name>" container_name = "<container-name>" blob_path = "<blob-name>" output_file_path = "<local-file-path>" def get_device_login_token(): # only for example Azure CLI Application ID client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46' # Your organisation's Tenant ID which used for RBAC for Storage tenant_id = '<tenant-id>' authority_uri = ('https://login.microsoftonline.com/' + tenant_id + '/') resource_uri = 'https://storage.azure.com' context = adal.AuthenticationContext(authority_uri, api_version=None) code = context.acquire_user_code(resource_uri, client_id) print(code['message']) mgmt_token = context.acquire_token_with_device_code(resource_uri, code, client_id) return TokenCredential(mgmt_token['accessToken']) block_blob_service = BlockBlobService( account_name = storage_account_name, token_credential = get_device_login_token() ) block_blob_service.get_blob_to_path(container_name, blob_path, output_file_path)
If you use your custom application as Python code then service principal must be registered in the tenant of your organisation. Multi-tenant application ID of Azure CLI is used here as an example, in this case we will see the logins from Python script as from Azure CLI. How to create and register multi-tenant application is explained here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant