Custom Permission attributes for only listing all blobs

ankit kumar 101 Reputation points
2020-10-09T00:59:36.673+00:00

My requirement is to allow users to see all the blobs allow then to download but they cant upload or delete a blob. I tried creating custom permission but its not working as expected. All I get is 'Microsoft.Storage/storageAccounts/listKeys/action does not have authorization to below scope' and if I add this scope in my custom permission action , then I am able to upload and delete as well.

I even tried using
'STORAGE BLOB DATA READER (PREVIEW)
READER AND DATA ACCESS

permission but I am still unable to achieve my functionality. Looking guidance from Microsoft to define the right permissions to achieve the above requirement.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,537 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,284 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 42,676 Reputation points Microsoft Employee
    2020-10-09T10:18:04.063+00:00

    @ankit kumar Let me explain how this roles works and the define of the RBAC.

    Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

    Access to blob or queue data in the Azure portal can be authorized using either your Azure AD account or the storage account access key. For more information, see Use the Azure portal to access blob or queue data.

    31167-capture.png

    Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

    You can grant the right to create a user delegation key separately from right to the data.

    https://learn.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key is performed at the account level, so you must give this permission with something like the Storage Blob Delegator built-in role at the scope of the storage account.

    The User Delegation Token can then be generated to grant a subset of the users permissions for a limited time, and can be granted for an entire blob container OR for individual blobs.

    Based on the error message you can refer to Troubleshoot Azure RBAC.

    Please look into the article Add or remove role assignments using Azure RBAC and the Azure portal

    As per this article learn.microsoft.com/en-us/rest/api/storageservices/… Get Blob should just require read contributor permissions

    Data operations example: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#data-operations-example

    Please refer to this GitHub thread on Clarity on Reader role

    If the issue still persists, Try using Azure Storage Explorer to grant portal access to blobs/queues to a user, you need to also assign them the Azure Resource Manager Reader role. That will give them the permissions they need to navigate through the portal to view blob and queue resources.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.