app service has storage contributor role in blob storage, it is throwing AuthorizationPermissionMismatch exception

Anem, Kishan Kasyap 30 Reputation points
2023-08-18T03:45:54.22+00:00

The app service has a storage contributor role in blob storage, it is throwing AuthorizationPermissionMismatch exception

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,547 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,236 questions
{count} vote

Accepted answer
  1. Manu Philip 17,026 Reputation points MVP
    2023-08-18T04:21:41.4466667+00:00

    Storage Contributor Role can't help as I think

    Roles starting with 'Storage Blob Data' should be assigned. 'Storage Blob Data Contributor' should help !


    --please don't forget to upvote and Accept as answer if the reply is helpful--


3 additional answers

Sort by: Most helpful
  1. Anem, Kishan Kasyap 30 Reputation points
    2023-08-22T09:16:07.4133333+00:00

    Storage Blob Data Contributor doesn't have permission to update index tags. we've given a role

    Defender for Storage Data Scanner.

    then it is started working. Thanks for the help.

    1 person found this answer helpful.
    0 comments No comments

  2. Anem, Kishan Kasyap 30 Reputation points
    2023-08-18T05:20:45.2833333+00:00

    App service has Storage Blob Data Contributor.


  3. MB CAB 5 Reputation points
    2023-09-13T09:11:10.2466667+00:00

    I have a similar issue, which I reported here : https://stackoverflow.com/questions/77095628/azure-durable-function-403-and-409-errors-when-writing-internally-to-blob-queu

    It seems like the "Storage XXX Data Contributor" roles (Storage queue, Storage Blob and Storage Table) are not enough, maye just in some corner cases.

    Those 3 roles are the ones suggested by the documentation, as seen here : https://learn.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-configure-durable-functions-with-credentials

    But do they have sufficient access to, for example, create a new queue? What about when there's no queue yet (at all)? Is there some kind of preliminary creation task required, which needs more permissions? Something's not right.

    0 comments No comments