Share via

Why do read access rights need to be more specific than contribute access rights

Søren Bech Christensen 0 Reputation points
2023-09-26T10:43:27.63+00:00

Using service principals, I am trying to define two roles in my Azure Resource Group, one for the moderator:

az role assignment create --assignee <moderator app id> --role "Storage Blob Data Owner" --scope /subscriptions/<mysub>/resourceGroups/<myresourcegroup>

and one for the reader:

az role assignment create --assignee <readerapp id> --role "Storage Blob Data Reader" --scope /subscriptions/<mysub>/resourceGroups/<myresourcegroup>

The moderator can upload files to the container using:

azcopy copy <local path> "https://<storage account>.blob.core.windows.net/<container>" --recursive=true

But when reader tries to get the content from the container wtih:

azcopy copy "https://<storage account>.blob.core.windows.net/<container>" "<local path>" --recursive=true --overwrite ifSourceNewer

…the command fails with

failed to perform copy command due to error: cannot start job due to error: cannot list files due to reason -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, C:/Users/VssAdministrator/go/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.15.0/azblob/zc_storage_error.go:42

When assigning read acces on container level (as opposed to the resource group) with

az role assignment create --assignee <reader app id> --role "Storage Blob Data Reader" --scope /subscriptions/<mysub>/resourceGroups/<myresourcegroup>/providers/Microsoft.Storage/storageAccounts/<storage account>/blobServices/default/containers/<container>

…the reader role is able to azcopy the contents of the container.

Why are read access rights more restrictive than write access rights?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,201 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
979 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2023-09-26T18:39:57.24+00:00

    Hi @Søren Bech Christensen , when it comes to access rights, it is always best practice to grant only the narrowest possible scope. This is because the more access rights a user has, the more damage they can do if their account is compromised.

    For example, if a user has read access to a resource, they can only view the resource and its properties. However, if a user has contribute access, they can make changes to the resource, which could potentially cause damage.

    Regarding your question, read access rights need to be more specific than contribute access rights because read access is generally less risky than contribute access. If a user has read access to a resource, they can only view the resource and its properties. However, if a user has contribute access, they can make changes to the resource, which could potentially cause damage.

    Regarding your second question, to create a role assignment in Azure Resource Group using Azure CLI, you can use the following command:

    az role assignment create --assignee <service-principal-object-id> --role <role-name> --resource-group <resource-group-name>

    Here, you need to replace <service-principal-object-id> with the object ID of the service principal, <role-name> with the name of the role you want to assign, and <resource-group-name> with the name of the resource group to which you want to assign the role.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.