Difference of storage account access permissions read add create write delete list

Tien 40 Reputation points
2024-05-21T14:31:11.3066667+00:00

When creating Shared Access Token/Signatures or Access Policy for Storage Account. I can specify which Permission will be granted: read/add/create/write/delete/list

Is there a official source that tell what the permissions can do?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,826 questions
0 comments No comments
{count} votes

Accepted answer
  1. Amrinder Singh 3,795 Reputation points Microsoft Employee
    2024-05-21T14:56:30.69+00:00

    Hi Tien - Thanks for reaching out.

    When working with Service/Account SAS, it is signed using the access keys so you need to have a role/permissions in order to access the keys i.e.

    Microsoft.Storage/storageAccounts/listkeys/action

    Build in Role such as Contributor or Reader and Data Access tend to have that permission so you can leverage them to generate the SAS.

    https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#contributor

    https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#reader-and-data-access

    What permission does the SAS should be having can be controlled further while creating the SAS such as Read, Write, List delete etc.

    Below is the reference links that talks about the same:

    https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create-dotnet

    https://learn.microsoft.com/en-us/azure/storage/common/storage-account-sas-create-dotnet?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json

    Below are further additional links that talks about working with Stored Access Policy.

    https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy

    https://techcommunity.microsoft.com/t5/azure-paas-blog/working-with-stored-access-policy-to-control-sas/ba-p/3744484

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


1 additional answer

Sort by: Most helpful
  1. Luis Arias 5,371 Reputation points
    2024-05-21T14:55:14.2433333+00:00

    Hi Tien,

    Yes, there are official sources that explain what each permission can do in Azure Storage. Here’s a brief summary:

    • Read: Allows read access to the data in the storage account.
    • Add: Allows adding data to the storage account.
    • Create: Allows creating new data in the storage account.
    • Write: Allows writing (updating) data in the storage account.
    • Delete: Allows deleting data from the storage account. However, you can add conditions to restrict delete operations.
    • List: Allows listing all blobs or files in the storage account.

    Reference and documentation:

    If the information helped address your question, please Accept the answer.

    Luis