Manage access rights to Azure Blob and Queue data with RBAC (Preview)

Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access containers or queues. When an RBAC role is assigned to an Azure AD identity, that identity is granted access to those resources, according to the specified scope. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. You can assign access rights for Azure Storage resources using the Azure portal, Azure command-line tools, and Azure Management APIs.

An Azure AD identity may be a user, group, or application service principal, or it may be a managed identity for Azure resources. A security principal can be a user, group, or application service principal. A managed identity for Azure resources is an automatically managed identity used to authenticate from applications running in Azure virtual machines, function apps, virtual machine scale sets, and others. For an overview of identity in Azure AD, see Understand Azure identity solutions.

Note

  • The preview of Azure AD authentication for blobs and queues is intended for non-production use only. Production service-level agreements (SLAs) are not currently available. If Azure AD authentication is not yet supported for your scenario, continue to use Shared Key authorization or SAS tokens in your applications.

  • During the preview, RBAC role assignments may take up to five minutes to propagate.

  • To authorize blob and queue operations with an OAuth token, you must use HTTPS.

  • The Azure portal now supports using Azure AD credentials to read and write blob and queue data, as part of the preview release.

  • Azure Storage Explorer currently uses your storage account key to access blob and queue data. OAuth access is supported for blobs.

  • Azure Files supports authentication with Azure AD over SMB for domain-joined VMs only (preview). To learn about using Azure AD over SMB for Azure Files, see Overview of Azure Active Directory authentication over SMB for Azure Files (preview).

RBAC roles for blobs and queues

Azure Storage supports both built-in and custom RBAC roles. Azure Storage offers these built-in RBAC roles for use with Azure AD:

For more information about how built-in roles are defined for Azure Storage, see Understand role definitions.

You can also define custom roles for use with containers and queues. For more information, see Create custom roles for Azure Role-Based Access Control.

Note

  • The preview of Azure AD authentication for blobs and queues is intended for non-production use only. Production service-level agreements (SLAs) are not currently available. If Azure AD authentication is not yet supported for your scenario, continue to use Shared Key authorization or SAS tokens in your applications.

  • During the preview, RBAC role assignments may take up to five minutes to propagate.

  • To authorize blob and queue operations with an OAuth token, you must use HTTPS.

  • The Azure portal now supports using Azure AD credentials to read and write blob and queue data, as part of the preview release.

  • Azure Storage Explorer currently uses your storage account key to access blob and queue data. OAuth access is supported for blobs.

  • Azure Files supports authentication with Azure AD over SMB for domain-joined VMs only (preview). To learn about using Azure AD over SMB for Azure Files, see Overview of Azure Active Directory authentication over SMB for Azure Files (preview).

Assign a role to a security principal

Assign an RBAC role to an Azure identity to grant permissions to containers or queues in your storage account. You can scope the role assignment to the storage account, or to a specific container or queue. The following table summarizes the access rights granted by the built-in roles, depending on scope:

Scope Blob Data Owner Blob Data Contributor Blob Data Reader Queue Data Contributor Queue Data Reader
Subscrition level Read/write access to all containers and blobs in the subscription Read/write access to all containers and blobs in the subscription Read access to all containers and blobs in the subscription Read/write access to all queues in the subscription Read access to all queues in the subscription
Resource group level Read/write access to all containers and blobs in the resource group Read/write access to all containers and blobs in the resource group Read access to all containers and blobs in the resource group Read/write access to all queues in the resource group Read access to all queues in the resource group
Storage account level Read/write access to all containers and blobs in the storage account Read/write access to all containers and blobs in the storage account Read access to all containers and blobs in the storage account Read/write access to all queues in the storage account Read access to all queues in the storage account
Container/queue level Read/write access to the specified container and its blobs Read/write access to the specified container and its blobs Read access to the specified container and its blobs Read/write access to the specified queue Read access to the specified queue

Note

As an owner of your Azure Storage account, you are not automatically assigned permissions to access data. You must explicitly assign yourself an RBAC role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or a container or queue.

For details on the permissions required to call Azure Storage operations, see Permissions for calling REST operations.

The following sections show how to assign a role scoped to the storage account or scoped to an individual container.

Assign a role scoped to the storage account in the Azure portal

To assign a built-in role granting access to all containers or queues in the storage account in the Azure portal:

  1. In the Azure portal, navigate to your storage account.
  2. Select your storage account, then select Access control (IAM) to display access control settings for the account. Select the Role assignments tab to see the list of role assignments.

    Screen shot showing storage access control settings

  3. Click the Add role assignment button to add a new role.

  4. In the Add role assignment window, select the role to assign to an Azure AD identity. Then search to locate the identity to whom you want to assign that role. For example, the following image shows the Storage Blob Data Reader (Preview) role assigned to a user.

    Screen shot showing how to assign an RBAC role

  5. Click Save. The identity to whom you assigned the role appears listed under that role. For example, the following image shows that the user added now has read permissions to all blob data in the storage account.

    Screen shot showing list of users assigned to a role

Assign a role scoped to a container or queue in the Azure portal

Important

You cannot do this if you are using an account with the hierarchical namespace enabled, yet.

The steps for assigning a built-in role scoped to a container or to a queue are similar. The procedure shown here assigns a role scoped to a container, but you can follow the same steps to assign a role scoped to a queue:

  1. In the Azure portal, navigate to your storage account and display the Overview for the account.
  2. Under Services, select Blobs.
  3. Locate the container for which you want to assign a role, and display the container's settings.
  4. Select Access control (IAM) to display access control settings for the container. Select the Role assignments tab to see the list of role assignments.

    Screen shot showing container access control settings

  5. Click the Add role assignment button to add a new role.
  6. In the Add role assignment window, select the role that you want to assign to an Azure AD identity. Then search to locate the identity to which you want to assign that role.
  7. Click Save. The identity to whom you assigned the role appears listed under that role. For example, the following image shows that the user added now has read permissions to data in the container named sample-container.

    Screen shot showing list of users assigned to a role

Next steps