Create Custom RBAC Role for Azure Storage Account Access

D

To 'Read a storage account', ie. list the blobs in the storage account, you need an 'Action' permission.

To read the data in a storage account, ie. open a blob, you need a 'DataAction' permission.

The property of the RBAC role definition that you should configure to provide permission to read the Azure Storage account is "Actions[]".

RBAC allows you to create custom roles to control access to resources within an Azure subscription. The role definition includes a set of actions that a user or group can perform on the resource. In this case, to provide permission to read the Azure Storage account, you need to define a custom role with the appropriate actions.

The "Actions[]" property in the RBAC role definition specifies the set of actions that are allowed for a given role. For example, the actions required to read an Azure Storage account include "Microsoft.Storage/storageAccounts/read" and "Microsoft.Storage/storageAccounts/listKeys/action".

To create a custom role with the required permissions, you can use the Azure Portal, Azure PowerShell, or Azure CLI. Here is an example PowerShell script to create a custom role:

PowerShellCopy code
$roleDefinition = @{   Name = "Storage Account Reader"   Description = "Read access to an Azure Storage account"   Actions = @( "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/listKeys/action" )   NotActions = @()   DataActions = @()   NotDataActions = @()   AssignableScopes = @("/subscriptions/{subscriptionId}") }  New-AzRoleDefinition @roleDefinition 

In this example, the "Actions[]" property is configured with the required actions to read an Azure Storage account. The "AssignableScopes[]" property specifies the scope of the custom role, which is limited to the current subscription.

In summary, the property of the RBAC role definition that you should configure to provide permission to read the Azure Storage account is "Actions[]".