Mar 01 2019 02:30 PM
Hi, is it currently possible to to provide read only access to Azure Storage Account blob containers via Azure CLI? It appears that once you connect to Azure via Azure CLI, it is just using the Storage Account's access key for all operations against the container, regardless of the RBAC rights associated with the SP I connect with.
Mar 03 2019 02:53 PM
Hi @unixdespair good night.
Mar 05 2019 12:58 PM
Unfortunately that's not how Azure CLI works currently. I did find the actual solution though in this case. You need to assign Reader and the preiew Storage Blob Data Reader role, then enable preview features in Azure CLI with:
az extension add -n storage-preview
Then, add "--auth-mode login" to your az storage commands after logging in with the SP that has only read-only rights.
As shipped, Azure CLI interactions with storage accounts are always using the account keys.