How to Restrict User Visibility of File Share, Queue, and Table Storage Service
Published Oct 13 2023 03:37 AM 3,727 Views
Microsoft

Scenario 

Suppose you have a specific requirement wherein the user should not have access to view the File Share, Queue, and Table Storage Services Data. The user should only be able to access and view the containers within the storage account. In this blog, we will delve into the methods and techniques to fulfil this requirement. 
 

Assessment: 

Azure Storage provides several predefined roles built-in roles that can be utilized to restrict users from executing certain operations on the Azure Storage Account. However, in order to fulfil the aforementioned requirement, it is necessary to customize the Role permissions according to the specific needs and constraints.  
 

Steps to be followed: 

You can make use of Azure Portal, PowerShell, or Az CLI to create a custom RBAC role. 
 

Pre-requisites: 

  • Azure Storage account: You can use GPv2 Storage Account 

 

We will create a custom role named “TestCustomRBACRole” which will restrict the user to view File Share, Queue and Table Storage Service Data by using Azure Portal 

 

Step 1: 

  1. Sign-in to the Azure portal with your credentials 
  2. Go to the resource group where you could like the role to be implemented/ scoped to. 
  3. Select Access Control (IAM)->Add-> Add Custom Role: 

again again new.png

 

Step 2: 

We will create a custom role named “TestCustomRBACRole”. The Baseline permission parameters helps with deciding whether you want to create your custom role by cloning and then modifying an existing role or by starting from scratch. 

Here, I would be choosing the option of <Start from Scratch >  

2nd.png

 

Step 3: 

Click on Add Permission  

3rd.jpg

 

Step 4: 

Search for permissions to add to your custom role. In our case we will search for “Microsoft Storage” to find permissions related to storage account. 

4th.png 

 

Add/Include Permission 

After selecting Azure Storage, please search for blob and select below permission. In our scenario we will only select Read, Write delete operation for blob and container. 

4thagain.png

 

To obtain information about a specific storage account, we need to add below additional permission as well. If we don't add the "Read: List/Get Storage Account(s)" permission, we won't be able to access the storage account within that resource group.  

4thagain2.png

 

Step 5: 

The finalized format of the Custom Role-Based Access Control (RBAC) role is as follows, with the scope set at the resource group level. This role was created by selecting the "create" option. 

5thnew.png

 

Step 6: 

Once the role has been created, we can assign it to the user by following the below steps: - 

  1. Azure portal -> Resource group 
  2. Access control (IAM) -> add-> role assignment 
  3. From the role assignment choose the custom role you have created and assign it to the user. In our case Custom Role name is TestCustomRBACRole 

 

Step 7: 

The storage account <testforsourabh> was deployed under the resource group where the Custom RBAC role <TestCustomRBACRole> was assigned to user 

The below operations were checked by the user to see if the RBAC role was working appropriately: 

 

  • User can view the Container 

Container.png

 

  • User is getting Access denied error when click on File Share 

Fileshare2.png

 

  •  User would not be able to see any data in queue but there would be no error 

queue.png

 

  •  User will get Permission denied error for table storage as well 

table.png

 

Hope this helps!

 

3 Comments
Co-Authors
Version history
Last update:
‎Oct 12 2023 08:30 AM
Updated by: