![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 90%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,931 questions
Greetings!
The error arises because the user has only the Storage Blob Data Contributor role at the container level and lacks the 'Microsoft.Storage/storageAccounts/listKeys/action' permission at the storage account level. This permission is necessary for generating SAS tokens using the account key signing method.
To fix the issue, the user should generate the SAS token using the User Delegation Key signing method. This method requires the 'Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action' permission, which the 'Storage Blob Data Contributor role' at the container level provides.
Additionally, it's worth noting that the Storage Blob Data Contributor role at the container level provides permissions to read and write blob data, but not to manage the container itself. If the user needs to manage the container, they may need additional permissions or a different role.
The resources provided are accurate and helpful for learning more about SAS tokens, role-based access control (RBAC) in Azure, and the Azure Storage Blob Data Contributor role.
Resources:
- Learn more about SAS tokens
- Role-based access control (RBAC) in Azure
- Azure Storage Blob Data Contributor role
Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.
Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.