Permissions to list contents of a blob - why do you need "list keys" permission? RRS feed

  • Question

  • I'm trying to give someone full read access to a blob, but when that person tries to list the contents of the blob (it's got files in it), they get an error saying that they need the 'Microsoft.Storage/storageAccounts/listKeys/action' on the parent storage account.

    So, I have three questions:

    1. Why does one need more that read permisson on a blob to view the contents of that blob in e.g. Azure Storage Explorer or the Azure Portal
    2. Why are the permissions needed 'Microsoft.Storage/storageAccounts/listKeys/action', which basically gives full r/w access to the resource
    3. Why is the permission needed on the storage account, and not on the blob?


    Friday, November 30, 2018 8:17 AM

All replies

  • Hi Erik,

    what method are being used in this case to grant permissions to the blob and to access it?


    Friday, November 30, 2018 12:17 PM
  • I set permissions in the Azure Portal, on the blob itself, and, as described, the user is trying to access the resource using Azure Storage Explorer and the Azure Portal.
    Friday, November 30, 2018 12:19 PM
  • @ Erik, Here is the document which provides you the brief explanation of the Storage built-in roles to manage operations like Read/Write/Full access of Azure Storage Account. You may also refer the following guide to give permissions for the users based on your requirement using RBAC in Azure portal.  See if this helps you.

    • Proposed as answer by YASWANTH MADI Thursday, December 20, 2018 8:40 AM
    Thursday, December 20, 2018 8:40 AM