RBAC access to Azure Storage - preview roles not acting as expected

2
votes

I'm trying to give our operations team read-only access to a storage account containing log files. I'd like to be able to give them the right to enumerate containers and read blobs. Ideally that would be the extent of their access.

There are a couple of RBAC roles in preview that looked promising:

  • Storage Blob Data Reader (Preview) is described as "Allows for read access to Azure Storage blobs containers and data" which sounds exactly like what I'm after
  • Storage Blob Data Contributor (Preview) sounds like read/write to blob accounts

Neither of these roles worked for me, however. The operations group is unable to use Azure Storage Explorer or the web to examine blob contents. It looks like the roles don't provide access to the key APIs.

I'm wondering where the gap is between what I'm hoping to do and what the new preview roles offer. Can I accomplish this without defining custom roles in the tenant?

1
azureazure-storageazure-storage-blobsazure-securityazure-rbac
Just wondering if you saw this post: stackoverflow.com/questions/49812699/…huysmania
Thanks, I did see that, which is where my assumption about key access came from (first two bullets in linked article). From the description on the new roles I would expect those permissions to be rolled in. Though I wonder if read-only is even possible if storage account key access is required to access the blobsJosh

1 Answers

2
votes

One thing is assigning proper RBAC roles and another is a client application making use of them. As far as I noticed most applications able to browse through Storage Accounts still use only the keys and obviously fail when the user is not assigned a role privileged enough.

You can however use new storage data access roles by means of Azure Portal. This requires you to assign both Reader and Storage Blob Data Reader roles. The first one is required for the user to see the storage account resource in the Portal at all. The latter is required to access data without keys.

Users will be able to see the data when going through the Blob service > Blobs menu position. Not the Storage Explorer, which still can use only keys.

You can assign Storage Blob Data Reader on the storage account level or on a particular container and this works just fine - users have access limited to a specific container.

You also need to wait some time for the roles to propagate properly. The documentation says something about 5 minutes but from my short observation it seems it can be a bit longer.