Azure role-based access control (Azure RBAC) for Media Services accounts

---

Looking for Media Services v2 documentation?
Having trouble? See the Troubleshooting guide for solutions to issues with using Media Services.
Code samples can be found on the Samples page.

Currently, Azure Media Services does not define any custom roles specific to the service. To get full access to the Media Services account, customers can use the built-in roles of Owner or Contributor. The main difference between these roles is: the Owner can control who has access to a resource and the Contributor cannot. The built-in Reader role can also be used but the user or application will only have read access to the Media Services APIs.

Design principles

One of the key design principles of the v3 API is to make the API more secure. v3 APIs do not return secrets or credentials on Get or List operations. The keys are always null, empty, or sanitized from the response. The user needs to call a separate action method to get secrets or credentials. The Reader role cannot call operations like Asset.ListContainerSas, StreamingLocator.ListContentKeys, ContentKeyPolicies.GetPolicyPropertiesWithSecrets. Having separate actions enables you to set more granular Azure RBAC security permissions in a custom role if desired.

To list the operations Media Services supports, do:

foreach (Microsoft.Azure.Management.Media.Models.Operation a in client.Operations.List())
{
    Console.WriteLine($"{a.Name} - {a.Display.Operation} - {a.Display.Description}");
}

The built-in role definitions article tells you exactly what the role grants.

See the following articles for more information:

• Classic subscription administrator roles, Azure roles, and Azure AD roles
• What is Azure role-based access control (Azure RBAC)?
• Add or remove Azure role assignments using the REST API
• Media Services resource provider operations