Grant access to Azure blob and queue data with RBAC using Azure CLI

Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob or queue data.

When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

This article describes how to use Azure CLI to list built-in RBAC roles and assign them to users. For more information about using Azure CLI, see Azure Command-Line Interface (CLI).

RBAC roles for blobs and queues

Azure provides the following built-in RBAC roles for authorizing access to blob and queue data using Azure AD and OAuth:

Note

RBAC role assignments may take up to five minutes to propagate.

Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

Determine resource scope

Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.

The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:

  • An individual container. At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
  • An individual queue. At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
  • The storage account. At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
  • The resource group. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
  • The subscription. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.

Important

If your subscription includes an Azure DataBricks namespace, roles assigned at the subscription scope will be blocked from granting access to blob and queue data.

List available RBAC roles

To list available built-in RBAC roles with Azure CLI, use the az role definition list command:

az role definition list --out table

You'll see the built-in Azure Storage data roles listed, together with other built-in roles for Azure:

Storage Blob Data Contributor             Allows for read, write and delete access to Azure Storage blob containers and data
Storage Blob Data Owner                   Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.
Storage Blob Data Reader                  Allows for read access to Azure Storage blob containers and data
Storage Queue Data Contributor            Allows for read, write, and delete access to Azure Storage queues and queue messages
Storage Queue Data Message Processor      Allows for peek, receive, and delete access to Azure Storage queue messages
Storage Queue Data Message Sender         Allows for sending of Azure Storage queue messages
Storage Queue Data Reader                 Allows for read access to Azure Storage queues and queue messages

Assign an RBAC role to a security principal

To assign an RBAC role to a security principal, use the az role assignment create command. The format of the command can differ based on the scope of the assignment. The following examples show how to assign a role to a user at various scopes, but you can use the same command to assign a role to any security principal.

Container scope

To assign a role scoped to a container, specify a string containing the scope of the container for the --scope parameter. The scope for a container is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>

The following example assigns the Storage Blob Data Contributor role to a user, scoped to the level of the container. Make sure to replace the sample values and the placeholder values in brackets with your own values:

az role assignment create \
    --role "Storage Blob Data Contributor" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"

Queue scope

To assign a role scoped to a queue, specify a string containing the scope of the queue for the --scope parameter. The scope for a queue is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/queueServices/default/queues/<queue>

The following example assigns the Storage Queue Data Contributor role to a user, scoped to the level of the queue. Make sure to replace the sample values and the placeholder values in brackets with your own values:

az role assignment create \
    --role "Storage Queue Data Contributor" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/queueServices/default/queues/<queue>"

Storage account scope

To assign a role scoped to the storage account, specify the scope of the storage account resource for the --scope parameter. The scope for a storage account is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>

The following example shows how to assign the Storage Blob Data Reader role to a user at the level of the storage account. Make sure to replace the sample values with your own values: \

az role assignment create \
    --role "Storage Blob Data Reader" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>"

Resource group scope

To assign a role scoped to the resource group, specify the resource group name or ID for the --resource-group parameter. The following example assigns the Storage Queue Data Reader role to a user at the level of the resource group. Make sure to replace the sample values and placeholder values in brackets with your own values:

az role assignment create \
    --role "Storage Queue Data Reader" \
    --assignee <email> \
    --resource-group <resource-group>

Subscription scope

To assign a role scoped to the subscription, specify the scope for the subscription for the --scope parameter. The scope for a subscription is in the form:

/subscriptions/<subscription>

The following example shows how to assign the Storage Blob Data Reader role to a user at the level of the storage account. Make sure to replace the sample values with your own values:

az role assignment create \
    --role "Storage Blob Data Reader" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>"

Next steps