Share via

Custom Role definition to give the user the right of creating ONLY SAS tokens used for reading data from storage account

FIXED-TERM Ciui Bianca-Laura (XC-DX/EXV-T-RO) 0 Reputation points
2024-07-25T15:06:45.9866667+00:00

Hello!
My team wants to create a custom Role for accessing data from the storage account. For now the user has only Reader role assigned to it.
What we want to achieve is giving the recipient of this role the right to read blob data and to view the containers inside the storage account, and to be able to create SAS tokens that would be used ONLY for reading purposes. We're using terraform to create these custom roles, using the 'permissions' setting like below.

Is there any way we can create this custom role used for creating only reading SAS tokens with this structure?

permissions {
    actions = [
      "Microsoft.Storage/storageAccounts/listKeys/action",
      "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
      "Microsoft.Storage/storageAccounts/listAccountSas/action",
      "Microsoft.Storage/storageAccounts/listServiceSas/action"
    ]
    not_actions = []
    data_actions = [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" ]
  }
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,217 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
830 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 5,155 Reputation points Microsoft Employee
    2024-07-25T16:25:33.9233333+00:00

    Hi FIXED-TERM Ciui Bianca-Laura (XC-DX/EXV-T-RO) - Thanks for reaching out.

    Based on the above you shared, that is the definition for the custom role being created i.e. it will allow the action for defined management plane (list keys) versus data plane (reading of blobs).

    However, this ideally won't help in controlling the SAS permissions.

    While generating the SAS, the permissions need to be supplied and therein you can do that same i.e. Read, List etc as per your requirement.

    I'll take another review once though but as of now, the above seem to be correct.

    Hope that helps!

    Let me know if there are any queries/concerns, will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. FIXED-TERM Ciui Bianca-Laura (XC-DX/EXV-T-RO) 0 Reputation points
    2024-07-30T04:25:56.8833333+00:00

    Is there a way we can control the SAS permissions using this method of defining the role? We would need to restrict the user for creating anything else than a SAS token with the permission of reading.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.