BLOB Container SAS generation which Permissions I need for User delegation key?

Uwe Domschke 1 Reputation point
2023-11-21T08:00:07.6166667+00:00

Hello,

I want to set the permissions for the user delegation key in BLOB Container -> SAS generation. I get this message:

"You do not have permissions to grant Read access. You can still create a shared access signature (SAS), but you need an RBAC role with additional permissions to grant the signature recipient the desired access."

I have the role "owner" of the storage account without condition and "User Access Administrator" without condition.

Which RBAC role I need also?

Thanks Uwe

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,978 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva Villa 285 Reputation points Microsoft Employee
    2023-11-22T12:13:13.4966667+00:00

    Uwe Domschke

    Thanks for reaching Microsoft Q&A Team.

    To access blob data in the Azure portal with Microsoft Entra credentials, a user must have the following role assignments:

    ·        A data access role, such as Storage Blob Data Contributor or Storage Blob Data Reader

    ·        The Azure Resource Manager Reader role, at a minimum

    Please add your account in the "Storage Blob Data Contributor" permission, allow 15 minutes for the changes to take effect, and then generate a user delegation key.

    Please refer below articles for more information.

    https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal#assign-an-azure-role

    Create a user delegation SAS - Azure Storage | Microsoft Learn

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.