Share via

How to Create a Custom Azure Role for Storage Accounts with Restricted Delete Permissions

Abdul 2,650 Reputation points Microsoft External Staff
2024-08-01T08:55:20.6066667+00:00

How can I create a custom role in Azure that allows users to read and write to a storage account but restricts them from creating new directories or deleting any existing blobs or directories?

 "PS - Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.""

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,141 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Abdul 2,650 Reputation points Microsoft External Staff
    2024-08-01T09:01:47.9066667+00:00

    Greetings!

    To create a custom role in Azure that allows users to read and write to a storage account but restricts them from creating new directories or deleting any existing blobs or directories, you can follow these steps:

    1. Log in to the Azure Portal with your credentials.
    2. Navigate to the Resource Group or Subscription where you want to implement the role.
    3. Select Access Control (IAM) and click on "Add" followed by "Add Custom Role."
    4. Provide a suitable name and description for the custom role.
    5. Choose to Clone an Existing Role, specifically the "Storage Blob Data Contributor" role, as it closely aligns with the permissions you need.
    6. Modify the Permissions:
      • Under "Not Actions," exclude the permissions related to deletion operations at the storage account level.
      • For "Not Data Actions," exclude data operations related to deleting blobs and directories.
    7. Finalize and Create the Custom Role.
    8. Assign the Custom Role to the user by navigating to the resource group, selecting Access Control (IAM), and choosing the newly created custom role.

    This custom role allows users to perform read and write operations without the ability to delete blobs or directories. However, due to the nature of write permissions, it is not possible to restrict the creation of new directories.

    For more detailed instructions, refer to the following resources:

    Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

    Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.