locked
Using RBAC on Azure Storage RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I'm trying to add some authority on my Storage Account.

    i have 2 container on my storage account:

    1. container1
    2. container2

    which I want to have my user to have privilege to read and write for container1 and it's object.

    tried what written here:

    https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

    but even if I add the RBAC on my container, it wouldn't let my user to have the access privilege as I wanted. this is the combination which I tried:

    Storage Account IAM Role Container1 IAM Role Container2 IAM Role Result
    - Contributor - Error, Said my User don't have any Authorization to access container1
    Contributor - - My user can access container1 but also can access container2 and it's resources
    Reader Contributor - Error, Said my User don't have any Authorization to access container1
    Contributor Contributor Reader My user can access container1 but also can access container2 and it's resources including uploading new blobs

    can someone tell me where do my settings wrong?

    Thursday, March 19, 2020 12:20 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    @VandasdelcaFirstly, apologies for the delay in responding here and any inconvenience this issue may have caused. Let me explain how this roles works and the define of the RBAC

    Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as OwnerContributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account

    Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

    You can grant the right to create a user delegation key separately from right to the data.

    https://docs.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key  is performed at the account level, so you must give this permission with something like the Storage Blob Delegator built-in role at the scope of the storage account.

    You can then grant just the data permissions the user should have, using one of these 3 built-in roles at the scope of the blob container:

    Storage Blob Data Contributor

    Storage Blob Data Owner

    Storage Blob Data Reader

    The User Delegation Token can then be generated to grant a subset of the users permissions for a limited time, and can be granted for an entire blob container OR for individual blobs.

    Based on the error message you can refer to Troubleshoot Azure RBAC.

    Please look into the article Add or remove role assignments using Azure RBAC and the Azure portal

    If the issue still persist, please share the screenshot of the permission access and the error message 

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members. 
    Monday, March 23, 2020 7:50 AM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    @VandasdelcaFirstly, apologies for the delay in responding here and any inconvenience this issue may have caused. Let me explain how this roles works and the define of the RBAC

    Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as OwnerContributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account

    Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

    You can grant the right to create a user delegation key separately from right to the data.

    https://docs.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key  is performed at the account level, so you must give this permission with something like the Storage Blob Delegator built-in role at the scope of the storage account.

    You can then grant just the data permissions the user should have, using one of these 3 built-in roles at the scope of the blob container:

    Storage Blob Data Contributor

    Storage Blob Data Owner

    Storage Blob Data Reader

    The User Delegation Token can then be generated to grant a subset of the users permissions for a limited time, and can be granted for an entire blob container OR for individual blobs.

    Based on the error message you can refer to Troubleshoot Azure RBAC.

    Please look into the article Add or remove role assignments using Azure RBAC and the Azure portal

    If the issue still persist, please share the screenshot of the permission access and the error message 

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members. 
    Monday, March 23, 2020 7:50 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    thank you for your answer. now I understand about RBAC a little better. will try to use the deletgation key just as you recommended.

    bests,

    Wednesday, March 25, 2020 5:49 AM