Azure Storage Account - Read Only Group

3
votes

I have an Azure Storage account, and a group of users called 'Readers' I want to give the Readers group read-only access to all blobs and containers in the storage account.

I've tried: In the Storage Account > Access Control > Add > 

Role: Storage Blob Data Reader
Assign access to: Azure AD user, group, or application
Select: Readers

But users in the Readers group could not even see the storage account to try and access it.

I then removed the above access control and tried: I've tried: In the Storage Account > Access Control > Add >

Role: Reader
Assign access to: Azure AD user, group, or application
Select: Readers

With this one, the user could see the storage account but not access Blobs

I have also tried having both of these set, and the user could see the Blobs but not access them.

Does anyone know how to grant Read-Only access to the blobs and its contents?

One key requirement is that they should not be able to get to the Access Keys of the storage account.

1
azureazure-storageazure-blob-storage

1 Answers

2
votes

Currently Storage Blob Data Reader role is in preview. With RBAC you can only control access to the operations used to manage that storage account, but not to the data objects in the account. For example, you can grant permission to retrieve the properties of the storage account (such as redundancy), but not to a container or data within a container inside Blob Storage. I suggest you use Shared Access Signature to grant permissions to Azure blob storage.

For more information refer: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#granting-access