Understanding Azure Blob Storage Roles and Permissions

Azure Blob Storage roles and permissions can be a bit overwhelming, but understanding the basics is crucial for managing your storage effectively.

There are two main roles in Azure Blob Storage: the Storage Account Contributor and the Storage Blob Data Contributor. These roles determine what actions users can perform on your storage account.

As a Storage Account Contributor, you can manage all aspects of your storage account, including adding or removing users, setting permissions, and configuring security settings.

Azure Role-Based Access Control is a service that helps manage user access to Azure resources, determining what they can do with those resources and what areas they can access. It's an authorization system based on Azure Resource Manager, providing fine-grained access management of Azure resources.

This means you can control who can do what with Azure resources, such as writing files to Azure Blob Storage. Azure Role-Based Access Control is a powerful tool for ensuring the right people have the right level of access to your resources.

For more insights, see: Give Access to Azure Blob Storage

An Azure RBAC Role Assignment grants a given identity permission to perform specific types of actions against a specific scope of Azure resource(s). This is not to be confused with an Entra RBAC Role Assignment, which has a different purpose.

To understand an Azure RBAC Role Assignment, let's break it down into its three components. An Azure RBAC Role Assignment is a named Azure resource that describes a junction of three other Azure or Entra resource IDs:

Azure Blob Storage Roles allow you to manage access to your Azure Storage containers and blobs.

There are specific roles designed for this purpose, such as the Storage Blob Data Contributor role. This role grants the ability to read, write, and delete Azure Storage containers and blobs.

To understand the actions allowed by the Storage Blob Data Contributor role, you can refer to the list of actions below:

Account Contributor roles are designed to give users the ability to manage storage accounts, but not necessarily access to the data within those accounts.

The Storage Account Contributor role, for example, permits management of storage accounts, providing access to the account key, which can be used to access data via Shared Key authorization.

With this role, users can create, manage, and delete storage accounts, but they do not have the ability to read or write data within those accounts.

Here's a breakdown of the actions that users with the Storage Account Contributor role can perform:

Keep in mind that this role does not provide access to the data within the storage accounts, only the ability to manage the accounts themselves.

A Contributor role in Azure Blob Storage is a crucial part of managing access to your storage resources. It grants users the ability to read, write, and delete Azure Storage containers and blobs.

In Azure, a Contributor role is often combined with other roles to fulfill specific permissions requirements. For example, a workload's design may require a "Website Contributor" role to deploy code onto a nonproduction Azure App Service resource.

For another approach, see: Watch Role Models

A Contributor role typically includes the following actions:

This means that users with a Contributor role can perform a wide range of actions on your storage resources, from deleting containers and blobs to modifying container metadata.

Generating SAS is a crucial step in granting access to Azure Blob Storage resources. You can control what resources they have access to, what permissions they have on those resources, and how long they have access to the resources.

Azure Storage supports three kinds of shared access signatures: User delegation SAS, Service SAS, and Account SAS. User delegation SAS is secured using Azure Active Directory credentials and applies to Blob storage only.

To create a shared access signature, you'll need to navigate to the storage account resource in the Azure portal. From there, go to Security + networking, then choose Shared access signature.

You can choose the storage account services and options the shared access signature should have, such as Read and List permissions to Blobs in a container. Always use the principle of least privilege when assigning permissions to a SAS.

Related reading: Python Access Azure Blob Storage

You'll also need to choose a start and end time for how long the SAS should be valid. This is important to ensure that access is only granted for a specific period.

If needed, you can limit what IP addresses can send requests to the storage account using the SAS. As a best practice, only allow the HTTPS protocol when using the SAS URI.

Finally, choose which access key to sign the shared access signature. If you revoke the access key, any shared access signature created from the access key is invalidated.

Here are the three options for using the SAS: a connection string for applications, a SAS token, and a Blob service SAS URL.

On a similar theme: Storage Account Key Azure

The Data Scanner Defender for Storage Data Scanner role grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.

This role allows you to return a list of containers and a blob or a list of blobs.

Here are the specific actions this role can perform:

An Azure RBAC Role Assignment grants a given identity permission to perform specific types of actions against a specific scope of Azure resources.

To create an Azure RBAC Role Assignment, you need to specify three components: an Azure RBAC role, a target Azure resource ID or scope, and an Entra identity serving as the principal capable of performing actions.

An Azure RBAC role authorizes actions such as writing files to Azure Blob Storage, and can be either built-in or custom.

The target Azure resource ID or scope is where the role's actions are allowed, and it can be a resource group ID, subscription ID, or another Azure resource ID.

An Entra identity, such as an Entra App Registration or group ID, serves as the principal capable of performing actions on the target-scoped resource(s).

To fulfill a task, more than one Azure RBAC Role Assignment may need to be created, adhering to the security principle of least privilege.

For example, a workload may require the creation of multiple Azure RBAC Role Assignments, such as a "Website Contributor" role assignment for a code deployment automation and a "Storage Blob Data Contributor" role assignment for humans in a certain department.

Here's a breakdown of the components needed for each role assignment:

By understanding the components and requirements of Azure RBAC Role Assignments, you can effectively manage access and permissions for your Azure resources.