Share via

Is there a set of permissions for a role in Azure such that it allows for a user to list all blobs with their properties and folders in an Azure Storage Account, but they cannot open, download or write the content of the files?

CW 0 Reputation points
2024-09-06T05:49:18.5066667+00:00

We have a group of people that will be our first line of support for our product. Part of the troubleshooting steps is to be able to find a blob in a storage account, and validate properties of the blob (e.g. file size is not 0). However, that group should not be able to see the contents of the blob, nor be able to download it. They also should not have any write or delete access. Are there specific role permissions that would perform this?

These rules would apply to any storage account in the subscription. In addition, blobs, containers and directories are not static and can be added/removed via other processes, so I'm not sure if ACLs will work, but if that's another (or only) option, we could consider that, as well.

Thanks for your help.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,224 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
830 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. akinbade abiola 18,305 Reputation points
    2024-09-06T07:15:11.5+00:00

    You can try RBAC roles. I am seeing one which probably may do it. RBAC includes several built-in roles, but I cant see one specifically designed for your exact needs, the closest imo is the Storage Blob Data Reader. You can create a custom role from it. Or you can take a look at the roles here:

    https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage

    To create a custom role instead see:

    https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

  2. Nehruji R 8,146 Reputation points Microsoft Vendor
    2024-09-06T12:45:35.4433333+00:00

    Hello CW,

    Greetings! Welcome to Microsoft Q&A Platform.

    Adding to above information, Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob and queue data. You can also define custom roles for access to blob and queue data.|

    When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

    Azure storage supports Azure AD authentication and can be used for authentication instead of storage account name / key, SAS tokens or SAS policy. Azure Storage Explorer can also use Azure AD to authenticate to storage service. You can read more about it here: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad

    Please look into the article Add or remove role assignments using Azure RBAC and the Azure portal

    As per this article learn.microsoft.com/en-us/rest/api/storageservices/… Get Blob should just require read contributor permissions

    Data operations example: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#data-operations-example

    Please refer to this GitHub thread on Clarity on Reader role,

    https://learn.microsoft.com/en-us/answers/questions/1851421/restricting-read-access-to-azure-blob-storage-usin

    Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:

    • Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2. For more information, see Access control in Azure Data Lake Storage Gen2.
    • Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
    • Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
    • Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.
    • Storage Queue Data Contributor: Use to grant read/write/delete permissions to Azure queues.
    • Storage Queue Data Reader: Use to grant read-only permissions to Azure queues.
    • Storage Queue Data Message Processor: Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
    • Storage Queue Data Message Sender: Use to grant add permissions to messages in Azure Storage queues.

    For more details, refer to Use the Azure portal to assign an Azure role for access to blob and queue data.

    Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.