@Quattrocchi, Calogero Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
Firstly, Let me Explain what is Storage Account Key Operator Service Role . Permits listing and regenerating storage account access keys. Learn more
{
"assignableScopes": [
"/"
],
"description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
"name": "81a9662b-bebf-436f-a333-f67b29880f12",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
**
Based on the error message you may refer to the suggestion mentioned in this thread**
The reason why you need the "Storage Account Key Operator Service" role for the Managed Identity to write data to the Storage account is that the Managed Identity needs to authenticate itself to the Storage account in order to access it.
When you disable storage account key access, you are preventing access to the Storage account using the account key. This means that the Managed Identity can no longer authenticate itself to the Storage account using the account key.
To avoid using the "Storage Account Key Operator Service" role, you can use Azure AD authentication instead of storage account key authentication. This involves creating an Azure AD application and granting it access to the Storage account. You can then use the Managed Identity to authenticate to the Azure AD application, which in turn can authenticate to the Storage account.
Here are the high-level steps to use Azure AD authentication:
- Create an Azure AD application and grant it access to the Storage account.
- Assign the "Storage Blob Data Contributor" role to the Managed Identity for the Azure AD application.
- Modify your PowerShell script to use the Managed Identity to authenticate to the Azure AD application, which in turn can authenticate to the Storage account.
You can find more detailed information on how to use Azure AD authentication with Storage accounts in the Azure documentation: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
Additional information: Use a Managed Identity: Make sure that the Managed Identity associated with your Automation Account has the necessary permissions (like "Storage Blob Data Contributor" role) to write data to the Storage account. With the right permissions, you should be able to interact with the Storage account securely without relying on storage account keys.
Generate Shared Access Signatures (SAS): You can generate SAS tokens for your Storage account resources (containers or blobs) and provide these tokens to your Automation Runbook. This way, you can control access at a more granular level without exposing the storage account keys.
Use a service principal: Instead of a Managed Identity, you can use a service principal with appropriate permissions to interact with your Storage account. This is another secure way to access your storage resources without relying on keys.
I have not repro the above mentioned steps, please check and let me know the status
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.