4

I would like to have one of our virtual machine instances have permissions to download blobs but not to delete or upload. However, it appears that the "storage blob data reader" permissions do not allow this. In order to download a blob, I have to give it "storage blob data contributor" permissions. I'm more familiar with AWS, where the permissions are much more granular.

Is the "data reader" only able to get meta data about what's in storage? Am I going the wrong way?

Thanks for any help.

Andy Norris
  • 93
  • 1
  • 7
  • 1
    See https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal - storage blob data contributor is needed for delete – auburg Jan 06 '20 at 17:04
  • 1
    Thanks. I don't want the user (machine) to be able to delete, though. I want it to be able to download. From the docs: "Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources." This indicates that Reader is what I want, but it doesn't work for downloading blobs. I thought maybe someone else had run into this same issue. – Andy Norris Jan 06 '20 at 17:10
  • You're right - according to this table https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-blob-and-queue-data-operations Get Blob should just require read contributor permissions – auburg Jan 06 '20 at 17:15
  • Actually from the [Storage Blob Data Reader](Storage Blob Data Reader) description, you could see it could do `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` action to Return a blob or a list of blobs. – George Chen Jan 09 '20 at 11:45

0 Answers0