Storage Account Contributor role versus Storage Blob Data Contributor

Copper Contributor

Storage Account Contributor can also create containers and upload data?  Storage Account Contributor role can do the same roles as Storage Blob Data Contributor but also handle other storage account areas such as key and SAS?    

 

If I scoped a general Contributor role at the storage account level would this be the same as applying the Storage Account Contributor at the storage account level?

2 Replies

@DK 

The difference between the roles is in the "dataAction" of the Storage Data Contributor.

 

The Storage Account Contributor has no dataActions permissions for the storage account, however, it can do everything that's not data. Including SAS tokens.

 

The Storage Data Contributor can Generate SAS tokens for blob using the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action.

 

Scoping the Contributor role to the storage account would of course give you the same permissions, but not best practice according to the least-priviledge approach for RBAC.  

 

Azure Build-in roles permissions: 

Storage Data Contributor

  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
      ],
      "notDataActions": []
    }
  ]

 

Storage Account Contributor

"permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ]

 

Contributor

"permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ]

 

I was confirmed on the below thread that "Storage Account Contributor" can read/write/delete containers and blobs:

https://learn.microsoft.com/en-us/answers/questions/1342904/can-storage-account-contributor-role-rea...