Custom RBAC role in Azure Storage to perform upload / download operation & restrict delete operation

Scenario:

This article explains step by step procedure to accomplish the below requirement in Azure Storage using custom RBAC role:

1. Read and write operation for container and blobs should be allowed for the users
2. Delete operations should be restricted

The above custom RBAC role should be assigned at the resource group level.

 

Pre-Requisites:

1. Azure Storage GPV2 / ADLS Gen 2 Storage account
2. Ensure that you have enough permissions to create custom roles, such as Owner or User Access Administrator

Action:

You could follow the below steps to create a custom RBAC role using the Azure portal.

The creation of custom RBAC role can be done using the below methods:

1. Using PowerShell : please refer : https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
2. Using AzCLI : please refer : https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli
3. Using Rest API : please refer : https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-rest

Step 1:

1. Sign-in to the Azure portal with your credentials
2. Go to the resource group where you could like the role to be implemented/ scoped to.
3. Select Access Control (IAM)->Add-> Add Custom Role:

 

Step 2:

Give a suitable name and description for the role.

 

 

Step 3:

The Baseline permission parameters helps with deciding whether you want to create your custom role by cloning and then modifying an existing role or by starting from scratch.

• Here, I would be choosing the option of <Clone a Role >
• Role to clone: I would be choosing is <Storage Blob Data Contributor> as it inclines more to the custom role that I would create. You could choose any other roles to clone as per your use case.

 

Step 4:

Under the Permissions Tab, I would be altering the permissions as per my use case. I would be making changes to the below highlighted permissions as it aligns to my use case:

 

 

To Add/ Exclude permissions

1. Choose the option either add/ exclude and then you search for the resource you would like to assign the permission.
2. As I would like to exclude the permission for deletion operation at the storage account, I have used the below:

 

Excluding the required permissions:

1. Under Not Actions : This is more inclined to management plane permissions. I have chosen the below 2 permissions:

 

1. For Not Data Actions: This is more inclined to Data Plane operations

 

The final format of the Custom RBAC role is as below, with scope at resource group level. This has been created by clicking on the create option

 

 

Step 5:

Once the role has been created the role, we can assign it to the user as below

1. Azure portal -> Resource group
2. Access control (IAM) -> add-> role assignment
3. From the role assignment choose the custom role you have created and assign it to the user

 

 

Please Note

Along with the above permission, I have given the user Reader permission at the subscription level. You could give the Reader permission at the resource group level too.

We mainly have Management Plane and Data Plane while providing permissions to the user.

• The Management plane consists of operation related to storage account such as getting the list of storage accounts in a subscription, retrieve storage account keys or regenerate the storage account keys, etc.
• The Data plane access refers to the access to read, write or delete data present inside the containers.
• For more info, please refer to : https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#management-and-data-operations
• To understand about the Built in roles available for Azure resources, please refer to : https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Hence, it is important that you give minimum of ‘Reader’ role at the Management plane level

 

Step 6:

The storage account <teststorage2355> was deployed under the resource group <CustomRBAC> where the Custom RBAC role was assigned for the user

The below operations were checked by the user to see if the RBAC role was working appropriately:

 

1. Upload blobs to blob storage successfully

 

2. Download blobs from blob storage successfully

3. Delete blobs from blob storage causing the below failures

 

4. Deletion of container could also delete the blobs. while I tried deleting the container the below error was observed

5. Deletion of storage account can also delete the blobs. While I tried deletion of storage account the below is the error:

 

Hope this helps !