| author | mattchenderson |
|---|---|
| ms.service | azure-functions |
| ms.topic | include |
| ms.date | 10/08/2021 |
| ms.author | mahender |
You need to create a role assignment that provides access to your blob container at runtime. Management roles like Owner aren't sufficient. The following table shows built-in roles that are recommended when using the Blob Storage extension in normal operation. Your application may require further permissions based on the code you write.
| Binding type | Example built-in roles |
|---|---|
| Trigger | Storage Blob Data Owner and Storage Queue Data Contributor1 Extra permissions must also be granted to the AzureWebJobsStorage connection.2 |
| Input binding | Storage Blob Data Reader |
| Output binding | Storage Blob Data Owner |
1 The blob trigger handles failure across multiple retries by writing poison blobs to a queue on the storage account specified by the connection.
2 The AzureWebJobsStorage connection is used internally for blobs and queues that enable the trigger. If it's configured to use an identity-based connection, it needs extra permissions beyond the default requirement. The required permissions are covered by the Storage Blob Data Owner, Storage Queue Data Contributor, and Storage Account Contributor roles. To learn more, see Connecting to host storage with an identity.