Forum Discussion

DK's avatar
DK
Copper Contributor
Apr 24, 2023

Storage Account Contributor role versus Storage Blob Data Contributor

Storage Account Contributor can also create containers and upload data?  Storage Account Contributor role can do the same roles as Storage Blob Data Contributor but also handle other storage account ...
PhilipVandeVyver's avatar
PhilipVandeVyver
MCT
Apr 26, 2023

DK 

The difference between the roles is in the "dataAction" of the Storage Data Contributor.

 

The Storage Account Contributor has no dataActions permissions for the storage account, however, it can do everything that's not data. Including SAS tokens.

 

The Storage Data Contributor can Generate SAS tokens for blob using the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action.

 

Scoping the Contributor role to the storage account would of course give you the same permissions, but not best practice according to the least-priviledge approach for RBAC.  

 

Azure Build-in roles permissions: 

Storage Data Contributor

  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
      ],
      "notDataActions": []
    }
  ]

 

Storage Account Contributor

"permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ]

 

Contributor

"permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ]

 

ShridharSrinivasan's avatar
ShridharSrinivasan
Copper Contributor
Aug 08, 2023

I was confirmed on the below thread that "Storage Account Contributor" can read/write/delete containers and blobs:

https://learn.microsoft.com/en-us/answers/questions/1342904/can-storage-account-contributor-role-read-write-an