none
Reader does not have access to storage blobs and tables

    Question

  • How to properly set access for a user to Azure Storage Account, so the user has read-only access to everything in the Storage Account?

    I have assigned the user the Reader role with respect to the Storage Account. The user is able to see the Storage Account details (blade) but has no access to the contained Blobs, Queues and Tables (the tile shows something like No Access).


    • Edited by MCCZ Thursday, November 26, 2015 7:08 PM
    Thursday, November 26, 2015 11:59 AM

All replies

  • Hi,

    Have you considered using a Shared Access Signature?
    You could refer the following link for more details:
    https://azure.microsoft.com/en-in/documentation/articles/storage-dotnet-shared-access-signature-part-1/
    Account SAS might work for you.

    Regards,
    Malar.

    Friday, November 27, 2015 8:47 AM
  • The assignment of the Reader role defines the rights a user has on a certain Azure resource (so in your case storage account).

    However, since you want your users to provide (read) access to your Azure storage account content (blobs) you have a couple of options:

    1. Change the accessibility of your storage account from "Private" to "Container" or "Public" - but please think carefully if this is really the thing you want to have (because you open up accessibility to everyone not just certain users). e.g. see http://sanganakauthority.blogspot.com/2014/06/difference-between-public-blob-public.html

    2. If you have to ensure that only certain users can access certain blobs and/or containers then SAS tokens (and specify the various user rights) are the way to go (as Malar already mentioned). But you don't have to develop some custom applications (for generating the SAS tokens). You can use one of the available (3rd) party tools to access your azure storage account (e.g. http://storageexplorer.com/) and create new SAS tokens (for read-only access). You then can share this URI with your users (and they could use tools to access these resources e.g. AzCopy.exe http://blogs.msdn.com/b/windowsazurestorage/archive/2012/12/03/azcopy-uploading-downloading-files-for-windows-azure-blobs.aspx )

    Best,Oliver

    Wednesday, December 9, 2015 2:14 PM
  • Hi Oliver and Nagamalar,

    thank you for your replies.

    Are the SAS tokens supported via Visual Studio Cloud Explorer?

    If not, would you might consider to support this scenario? We are routing logs (like NLog) to Azure Storage Table (we have no need for full fledged SQL for this) and would love to be able to allow several named users (Microsoft Accounts) read and query the table if needed.


    Is there a tool which helps me construct the SAS string? I have found no link in Azure portal nor in the MSDN documentation.
    • Edited by MCCZ Thursday, December 10, 2015 12:34 PM
    Thursday, December 10, 2015 12:12 PM
  • Well, there are a couple of tools available that can be used to create a SAS token (for containers, blobs). E.g. http://storageexplorer.com/, http://azurestorageexplorer.codeplex.com/, etc. are just of them... when working with the first option, you just right-click on e.g. a container a select "get shared access signature". So creating a SAS token with reusing an existing tool is easy. Problem is accessing a container using an SAS URI - the tools that I mentioned do currently not support to "mount" a container using a SAS token (I'm not aware of aware tool that does it). Here you can use the azcopy tool (https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/) for using downloading files using a SAS token.

    Regarding visual studio cloud explorer: just checked it in VS2015. Unfortunately, this is currently not possible but you can request this as a feature (missing feature) in VS cloud explorer.

    Just one thing about the SAS token: The thing about SAS is that you can't just assign to specific users - so every user that has the specific SAS token has per se the rights to access the resource (if you need an additional user check custom work is required).

    Thursday, December 10, 2015 2:07 PM
  • Hi,

    Where you able to fix your issue or where we able to answer your question? If one (or multiple) of the answers below helped to answer your question, please mark all of them as an answer to your question (even if the answer was not a positive one).

    This will enable other forum members to immediately see which of the answers helped to resolve your issue/question.

    If you still have some issues please let us know - just post your comment in this forum!

    Many thanks,Oliver

    Tuesday, December 15, 2015 7:22 AM