Forum Discussion
AB_MN
Feb 28, 2023Copper Contributor
Azure Storage RBAC
Is there a built-in Azure role(s) that will accomplish the following:
- Create any Azure resource
- Apply permissions to any Azure resource
- Not have read access to resources unless explicitly granted
Specifically, I am referring to a file share in a storage account. I would like to have a security "role" be able to do all of the above, but don't want them to be able to access the data in a file share unless they are explicitly granted permissions. There is a file share that would contain confidential documents that they security "role" should not be able to access, and yes I know that the "role" could easily just give themselves access to that share if they really wanted to.
Thanks for the help.
- Tushar KumarBrass ContributorThe Azure role that meets these requirements is the "Contributor" role. The Contributor role has the permissions to create any Azure resource and apply permissions to any Azure resource. However, by default, the Contributor role also has read access to resources.
To meet the third requirement of not having read access to resources unless explicitly granted, you can customize the Contributor role by removing the "Reader" permission from it. This can be achieved by creating a custom role based on the Contributor role and removing the "Reader" permission. The custom role can then be assigned to users or groups who need to create and manage Azure resources without having read access to them.