I have an Azure Storage Account and want to grant read access to a colleague. All identities are in the same Azure Active Directory so it was easy to add him to the "Reader" role in the Access Control blade of the Azure portal.
When he opens Microsoft Azure Storage Explorer the subscription and storage account are visible but the node for Blob Containers can't be expanded. Exception says:
Could not obtain keys for Storage Account. Please check that you have the correct permissions
Open your storage account page and select Settings > Access keys. In the Select Resource panel of the Connect to Azure Storage dialog, select Storage account. Select Account name and key and select Next. Enter a display name for your connection, the name of the account, and one of the account keys.
In the Azure portal, go to your storage account. Under Security + networking, select Access keys. Your account access keys appear, as well as the complete connection string for each key. Select Show keys to show your access keys and connection strings and to enable buttons to copy the values.
The Owner role includes all actions, including the Microsoft. Storage/storageAccounts/listkeys/action, so a user with one of these administrative roles can also access blob data with the account key.
The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.
This is expected behavior. Essentially to list storage keys, the user should be in a role that allows listKeys
operation. The built-in Reader
role does not have permission to perform listKeys
operation.
The rationale (a bit convoluted though) behind this decision is that a user in Reader
role should only be able to Read
and not perform any inserts/updates or deletes. Considering if someone has account key for a storage account, they can do these operations. Thus the user in Reader
role is not granted permission to list the account keys.
What you could do is create a Shared Access Signature (SAS)
with read/list permissions and share that SAS URL with your colleague. Then they will be able to access the data in that storage account but won't be able to perform any create/update/delete operations.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With