question

LuckyRajput-7865 avatar image
0 Votes"
LuckyRajput-7865 asked SumanthMarigowda-MSFT commented

Any RBAC roles/action that will disable creation of new blob containers but can update existing blob containers in the storage account?

I have a requirement in which I want to restrict users from creating new blob containers in the storage account but they can add new files in existing Blob containers.

Can you please help me creating a custom role(or built-in role, if applicable) for limited access as mentioned?

Also, access to blob is authorized using the storage account access key(Microsoft.Storage/storageAccounts/listKeys/action).




azure-storage-accountsazure-blob-storageazure-rbac
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LuckyRajput-7865 For better clarity: May I know, how Azure Storage account are authenticated ( SAS, AAD, or Azure Storage Account)

Your storage account access keys are similar to a root password for your storage account. Always be careful to protect your access keys. Use Azure Key Vault to manage and rotate your keys securely. Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they may have been compromised.

Note: Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and queue data if possible, instead of Shared Key. Azure AD provides superior security and ease of use over Shared Key.

Let me explain how this roles works and the define of the RBAC

Refer to the this GitHub (If you have plan to use AAD) https://github.com/Azure-Samples/storage-dotnet-azure-ad-msal

For detailed information about built-in roles for Azure Storage, see the Storage section in Azure built-in roles for Azure RBAC.


Please do not forget to 170164-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


0 Votes 0 ·

@Sumarigo-MSFT Please Provide answer in answer Box so that questioner can up-vote/accept your answer.

0 Votes 0 ·

0 Answers