Custom RBAC role in Azure Storage to perform upload / download operation & restrict delete operation
Published May 15 2020 06:59 AM 7,609 Views
Microsoft

Scenario:

This article explains step by step procedure to accomplish the below requirement in Azure Storage using custom RBAC role:

  1. Read and write operation for container and blobs should be allowed for the users
  2. Delete operations should be restricted

The above custom RBAC role should be assigned at the resource group level.

 

Pre-Requisites:

  1. Azure Storage GPV2 / ADLS Gen 2 Storage account
  2. Ensure that you have enough permissions to create custom roles, such as Owner or User Access Administrator

Action:

You could follow the below steps to create a custom RBAC role using the Azure portal.

The creation of custom RBAC role can be done using the below methods:

  1. Using PowerShell : please refer : https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
  2. Using AzCLI : please refer : https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli
  3. Using Rest API : please refer : https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-rest

Step 1:

  1. Sign-in to the Azure portal with your credentials
  2. Go to the resource group where you could like the role to be implemented/ scoped to.
  3. Select Access Control (IAM)->Add-> Add Custom Role:

Anisha1721_0-1589550860875.png

 

Step 2:

Give a suitable name and description for the role.

 

Anisha1721_1-1589550860920.png

 

Step 3:

The Baseline permission parameters helps with deciding whether you want to create your custom role by cloning and then modifying an existing role or by starting from scratch.

  • Here, I would be choosing the option of <Clone a Role >
  • Role to clone: I would be choosing is <Storage Blob Data Contributor> as it inclines more to the custom role that I would create. You could choose any other roles to clone as per your use case.

Anisha1721_2-1589550860948.png

 

Step 4:

Under the Permissions Tab, I would be altering the permissions as per my use case. I would be making changes to the below highlighted permissions as it aligns to my use case:

 

Anisha1721_3-1589550860999.png

 

To Add/ Exclude permissions

  1. Choose the option either add/ exclude and then you search for the resource you would like to assign the permission.
  2. As I would like to exclude the permission for deletion operation at the storage account, I have used the below:

Anisha1721_4-1589550861024.png

 

Excluding the required permissions:

  1. Under Not Actions : This is more inclined to management plane permissions. I have chosen the below 2 permissions:

Anisha1721_5-1589550861064.png

 

  1. For Not Data Actions: This is more inclined to Data Plane operations

Anisha1721_6-1589550861100.png

 

The final format of the Custom RBAC role is as below, with scope at resource group level. This has been created by clicking on the create option

 

Anisha1721_7-1589550861124.png

 

Step 5:

Once the role has been created the role, we can assign it to the user as below

  1. Azure portal -> Resource group
  2. Access control (IAM) -> add-> role assignment
  3. From the role assignment choose the custom role you have created and assign it to the user

Anisha1721_8-1589550861161.png

 

 

Please Note

Along with the above permission, I have given the user Reader permission at the subscription level. You could give the Reader permission at the resource group level too.

We mainly have Management Plane and Data Plane while providing permissions to the user.

Hence, it is important that you give minimum of ‘Reader’ role at the Management plane level

 

Step 6:

The storage account <teststorage2355> was deployed under the resource group <CustomRBAC> where the Custom RBAC role was assigned for the user

The below operations were checked by the user to see if the RBAC role was working appropriately:

 

  1. Upload blobs to blob storage successfully

Anisha1721_9-1589550861175.png

 

  1. Download blobs from blob storage successfully

Anisha1721_10-1589550861191.png

  1. Delete blobs from blob storage causing the below failures

Anisha1721_11-1589550861205.png

 

  1. Deletion of container could also delete the blobs. while I tried deleting the container the below error was observed

Anisha1721_12-1589550861222.png

  1. Deletion of storage account can also delete the blobs. While I tried deletion of storage account the below is the error:

Anisha1721_13-1589550861242.png

 

Hope this helps !

 

1 Comment
Version history
Last update:
‎May 19 2020 11:52 PM
Updated by: