How to restrict the user from upload/download or delete blob in storage account
Published Dec 23 2019 07:42 AM 15.2K Views
Microsoft

Scenario

Let’s say, you have a requirement where in you don’t want the user (even the owner of the storage account) to do either upload, download or delete the blobs in an existing container in the storage account

We will cover how to accomplish this requirement in this blog.

Assessment:

There are a few built-in roles in Azure Storage which we can make use of and restrict the user from performing certain operations on Azure Storage Account. However, to accomplish the above requirement we need to customize the Role permissions.

I have come across another scenario where the user/group shouldn’t be able to delete / update the blobs once it is uploaded. For such scenario you can make use of the Immutable policy with time-based retention at the container level.

However, in our concerned scenario, this immutable policy doesn’t help as it will allow the user to upload or download the blob. Also, the user can create a new container. Moreover, to meet such requirement, we cannot make use of the built-in roles. We will need to create a custom role with customized permissions.

Steps to be followed:

You can make use of Azure PowerShell or Az CLI to create a custom RBAC role.

Pre-requisites:

  • Azure Storage account: You can use GPv2 Storage Account/Premium Block Blob Storage Account
  • Owner / Admin privileges on the subscription level to add the custom RBAC role

We will create a custom role named “Restrict user from upload or delete operation on Storage” which will restrict the user to perform upload or delete operation on blob.

 

Step 1:

We will create a JSON template giving the role definition of the custom role.


The following role definition creates a custom role that allows read access to storage but restricts user from upload and delete blob operation.

Create a new file C:\CustomRoles\customrole1.json with the following example. The ID should be set to null on initial role creation as a new ID is generated automatically.

{

       "Name": "Restrict user from upload or delete operation on Storage",

       "ID": null,

       "IsCustom": true,

       "Description": "This role will restrict the user from upload or delete operation on the storage account. However, customer will be able to see the storage account, container, blob.",

  "Actions": [

    "Microsoft.Storage/storageAccounts/read",

    "Microsoft.Storage/storageAccounts/blobServices/containers/read",

    "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"

  ],

 

  "NotActions": [

    "Microsoft.Storage/storageAccounts/blobServices/containers/write",

    "Microsoft.Storage/storageAccounts/blobServices/containers/delete"

  ],

 

  "DataActions": [

    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"

  ],

 

  "NotDataActions": [   

    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",

    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"

  ],

 

       "AssignableScopes": [

              "/subscriptions/d56662c7-xxxx"

       ]

}

 

Step 2:

Using the above role definition, we need to create a custom role in Azure RBAC. You can run the below powershell script to create a custom role:

 New-AzRoleDefinition -InputFile "C:\CustomRoles\customrole1.json"

 

Step 3:

To avoid the Read (download) operation from being performed you need to navigate to your storage account and Set the access tier of the blob to archive state. Note that the blob will not be downloaded when in archive state.

 

Step 4:

Assign the role that we created to the user from the “Access Control (IAM)” in the Storage blade in Azure Portal. Please refer to below screenshot:

image1.PNG

 

Step 5:

Let’s test the functionality now. Let the user login into the Azure Portal. The user will be denied access to the access keys or generate the SAS token as expected. Please see below:

image2.PNG

 

Now, if the user tries to perform any delete blob operation, the operation will fail. Please see below:

image3.PNG

 

Similarly, if user tries to upload or download the blob, the operation will fail. Also, if users try the same operation using Storage Explorer, the operation will fail. The user will not be able to create container or delete container as well.

 

Thus, by creating the above-mentioned custom role, the user will not be able to upload/download/delete blob from an existing container.

The user will just be able to list the blob in Azure Portal or in Storage Explorer Desktop Tool.

Hope this helps!

Version history
Last update:
‎Sep 15 2020 06:31 AM
Updated by: