Azure Storage Accounts Roles

Question

Good day

I need if someone can help me with an issue that is happening to me in Azure.

In an Azure Storage Account, within a Container, I have some folders where files are stored, I need a user to have roles or permissions to be able to delete or save files.

Currently, in Access Control (IAM) this user has the role of: Storage Account Contributor and Storage Blob Data Contributor, but it does NOT allow him to delete or save files.

Is it correct that I have these roles? Should I have another one?

As for access, everything is OK, because it reaches the Storage correctly, sees it correctly and accesses it correctly.

Thank you so much!

Answer 1

Hello Fernando Gutierrez,

Thanks for your question.

These roles should be sufficient for the user to perform operations like saving and deleting files within a container.

There are various reasons why this can be happening:

• If using SAS or access keys, check correct permissions.
• Assignment not in correct scope. You can verify using the CLI command below:

az role assignment list --assignee user@example.com --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Storage/storageAccounts/<storage-account>

• Also check if there are no deny assignments. See:

az role assignment list --assignee user@example.com --include-deny-assignments

It could also be as a result of network rules. Verify network rules:

az storage account network-rule list --account-name <storage-account> -g <resource-group-name>

See:

https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?source=recommendations&tabs=portal

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola