Apr 24 2023 04:34 AM
Storage Account Contributor can also create containers and upload data? Storage Account Contributor role can do the same roles as Storage Blob Data Contributor but also handle other storage account areas such as key and SAS?
If I scoped a general Contributor role at the storage account level would this be the same as applying the Storage Account Contributor at the storage account level?
Apr 26 2023 04:24 AM
The difference between the roles is in the "dataAction" of the Storage Data Contributor.
The Storage Account Contributor has no dataActions permissions for the storage account, however, it can do everything that's not data. Including SAS tokens.
The Storage Data Contributor can Generate SAS tokens for blob using the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action.
Scoping the Contributor role to the storage account would of course give you the same permissions, but not best practice according to the least-priviledge approach for RBAC.
Azure Build-in roles permissions:
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
]
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
]
Aug 08 2023 03:50 AM - edited Aug 08 2023 05:00 AM
I was confirmed on the below thread that "Storage Account Contributor" can read/write/delete containers and blobs: