Scenario
Suppose you have a specific requirement wherein the user should not have access to view the File Share, Queue, and Table Storage Services Data. The user should only be able to access and view the containers within the storage account. In this blog, we will delve into the methods and techniques to fulfil this requirement.
Assessment:
Azure Storage provides several predefined roles built-in roles that can be utilized to restrict users from executing certain operations on the Azure Storage Account. However, in order to fulfil the aforementioned requirement, it is necessary to customize the Role permissions according to the specific needs and constraints.
Steps to be followed:
You can make use of Azure Portal, PowerShell, or Az CLI to create a custom RBAC role.
Pre-requisites:
- Azure Storage account: You can use GPv2 Storage Account
- Ensure that you have enough permissions to create custom roles, such as Owner or User Access Administrator
We will create a custom role named “TestCustomRBACRole” which will restrict the user to view File Share, Queue and Table Storage Service Data by using Azure Portal
Step 1:
- Sign-in to the Azure portal with your credentials
- Go to the resource group where you could like the role to be implemented/ scoped to.
- Select Access Control (IAM)->Add-> Add Custom Role:
Step 2:
We will create a custom role named “TestCustomRBACRole”. The Baseline permission parameters helps with deciding whether you want to create your custom role by cloning and then modifying an existing role or by starting from scratch.
Here, I would be choosing the option of <Start from Scratch >
Step 3:
Click on Add Permission
Step 4:
Search for permissions to add to your custom role. In our case we will search for “Microsoft Storage” to find permissions related to storage account.
Add/Include Permission
After selecting Azure Storage, please search for blob and select below permission. In our scenario we will only select Read, Write delete operation for blob and container.
To obtain information about a specific storage account, we need to add below additional permission as well. If we don't add the "Read: List/Get Storage Account(s)" permission, we won't be able to access the storage account within that resource group.
Step 5:
The finalized format of the Custom Role-Based Access Control (RBAC) role is as follows, with the scope set at the resource group level. This role was created by selecting the "create" option.
Step 6:
Once the role has been created, we can assign it to the user by following the below steps: -
- Azure portal -> Resource group
- Access control (IAM) -> add-> role assignment
- From the role assignment choose the custom role you have created and assign it to the user. In our case Custom Role name is TestCustomRBACRole
Step 7:
The storage account <testforsourabh> was deployed under the resource group where the Custom RBAC role <TestCustomRBACRole> was assigned to user
The below operations were checked by the user to see if the RBAC role was working appropriately:
- User can view the Container
- User is getting Access denied error when click on File Share
- User would not be able to see any data in queue but there would be no error
- User will get Permission denied error for table storage as well
Hope this helps!