Hello,
I would like to know how I can restrict read access for a single container only. Imagine the following situation. I have a storage account "stracc" with two containers "container" and "containerdenied" inside. I would like to do this via DenyAssignments. Therefor I wrote the following bicep file "main.bicep":
param storageAccountName string = 'stracc'
param containerName1 string = 'container'
param containerName2 string = 'containerdenied'
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: storageAccountName
location: 'germanywestcentral'
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
}
resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2021-02-01' = {
name: 'default'
parent: storageAccount
}
resource storageContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {
parent: blobService
name: containerName1
}
resource storageContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = {
parent: blobService
name: containerName2
}
Now I execute the following command via Azure CLI:
stack group create --name my_stack --deny-settings-mode DenyWriteAndDelete --action-on-unmanage detachAll --resource-group my-rg --template-file main.bicep --deny-settings-excluded-actions Microsoft.Storage/storageAccounts/blobServices/containers/containerdenied/read
Unfortunately this doesn't work. The command fails and I am pretty sure this is because of the permission "Microsoft.Storage/storageAccounts/blobServices/containers/containerdenied/read" where the specific container name is included. If I execute this command without the container name like "Microsoft.Storage/storageAccounts/blobServices/containers/read" it works perfectly fine. But then, of course, the read access is permitted for all containers. What do I have to do to only apply this to one of the containers? Thank you very much for your help!