Setting Managed Identity for Azure BLOBs

Question

For my Azure Storage Account | BLOBs, I want to use a Managed Identity so that my web app can:

Create the needed containers if they don't already exist
CRUD BLOBs, with metadata set for them
Create a Read access SAS for private BLOBs

Is Storage Blob Data Contributor the correct role to assign?

And what Job function roles or Privileged administrator roles should I set for a user that needs the ability to do anything?

score 0 · Accepted Answer · answered Jul 30 '23 at 07:54

Is Storage Blob Data Contributor the correct role to assign?

Yes, for the 3 tasks you mentioned this role should be sufficient. However, please note that you can only create User Delegation SAS using Storage Blob Data Contributor role. If you want to create a Service SAS or Account SAS, you would need storage account key.

Please see these links for more details for Storage Blob Data Contributor role:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor

https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-blob-service-operations

I only need this (at present) to create a SAS for individual BLOBs one at a time. So User Delegation SAS is what I want for that - correct? TIA — David Thielen, Jul 30 '23 at 14:12

Setting Managed Identity for Azure BLOBs

1 Answers1