Forum Discussion
Storage Account, grant SAS tokens but not Entra ID
Hi there,
I was playing with Entra and storage account, and I do have permissions in my subscription to generate SAS tokens for sharing access. But when I'm trying to grant Entra ID accesses. that seems to be blocked:
Just wondering how I could set the access tokens, but not granting access. What could be the missing role I'm not having?
2 Replies
Hello Petri-X assuming you referring to the following approach (screenshots below), you (the identity that you are logged in as) need Microsoft. Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator or User Access Administrator.
So, you may have storage roles that allow you to generate SAS but not authorization roles.
Container level
Storage account level
Try fix by below steps:
- Check Role Assignments: Ensure that the user or service principal has been assigned the necessary roles. Common roles for accessing storage accounts include:
- Storage Blob Data Contributor: Allows read, write, and delete access to blob containers and data.
- Storage Blob Data Reader: Allows read access to blob containers and data.
- Assign Roles:
- Go to your storage account in the Azure portal.
- Navigate to Access control (IAM).
- Click on Add role assignment.
- Select the appropriate role (e.g., Storage Blob Data Contributor).
- Assign the role to the user, group, or service principal.
- Verify Permissions: Make sure that the permissions are correctly assigned and that there are no conflicting policies or restrictions.
- Use Managed Identities: For better security and ease of use, consider using managed identities to access your storage account. Managed identities can be used to authenticate and authorize access without needing to manage credentials.
- Check Role Assignments: Ensure that the user or service principal has been assigned the necessary roles. Common roles for accessing storage accounts include:
