RBAC access to Azure Storage - preview roles not acting as expected

元气小坏坏 提交于 2019-12-06 11:45:09

问题


I'm trying to give our operations team read-only access to a storage account containing log files. I'd like to be able to give them the right to enumerate containers and read blobs. Ideally that would be the extent of their access.

There are a couple of RBAC roles in preview that looked promising:

  • Storage Blob Data Reader (Preview) is described as "Allows for read access to Azure Storage blobs containers and data" which sounds exactly like what I'm after
  • Storage Blob Data Contributor (Preview) sounds like read/write to blob accounts

Neither of these roles worked for me, however. The operations group is unable to use Azure Storage Explorer or the web to examine blob contents. It looks like the roles don't provide access to the key APIs.

I'm wondering where the gap is between what I'm hoping to do and what the new preview roles offer. Can I accomplish this without defining custom roles in the tenant?


回答1:


One thing is assigning proper RBAC roles and another is a client application making use of them. As far as I noticed most applications able to browse through Storage Accounts still use only the keys and obviously fail when the user is not assigned a role privileged enough.

You can however use new storage data access roles by means of Azure Portal. This requires you to assign both Reader and Storage Blob Data Reader roles. The first one is required for the user to see the storage account resource in the Portal at all. The latter is required to access data without keys.

Users will be able to see the data when going through the Blob service > Blobs menu position. Not the Storage Explorer, which still can use only keys.

You can assign Storage Blob Data Reader on the storage account level or on a particular container and this works just fine - users have access limited to a specific container.

You also need to wait some time for the roles to propagate properly. The documentation says something about 5 minutes but from my short observation it seems it can be a bit longer.



来源:https://stackoverflow.com/questions/50006148/rbac-access-to-azure-storage-preview-roles-not-acting-as-expected

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!