Skip to content

Latest commit

 

History

History
53 lines (40 loc) · 4.83 KB

File metadata and controls

53 lines (40 loc) · 4.83 KB
title Azure roles required to assign storage tasks
titleSuffix Azure Storage Actions
description Learn about the roles required to create a storage task assignment and the roles required by the managed identity of a storage task to operate on a storage account.
services storage
author normesta
ms.service azure-storage-actions
ms.custom build-2023-metadata-update
ms.topic reference
ms.date 05/05/2025
ms.author normesta

Azure roles required to assign tasks

This article describes the least privileged built-in Azure roles or RBAC actions required to manage a storage task assignment.

Permission to manage storage task assignments

To create an assignment, your identity must be assigned either the Storage Actions Task Assignment Contributor as built-in role or a custom role that contains the following RBAC actions:

  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Storage/storageAccounts/reports/read
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/blobServices/read
  • Microsoft.Storage/storageAccounts/storageTaskAssignments/read
  • Microsoft.Storage/storageAccounts/storageTaskAssignments/write
  • Microsoft.Storage/storageAccounts/storageTaskAssignments/delete
  • Microsoft.Storage/storageAccounts/storageTaskAssignments/reports/read

To learn how to create a custom role, see Azure custom roles.

Permission for a task to perform operations

As you create an assignment, you must choose an Azure built-in or custom role that has the permission necessary to perform the specified operations on the target storage account or storage account container. That role is assigned to the managed identity of the storage task. You can choose only roles that are assigned to your user identity.

The Storage Blob Data Owner role provides all of the permissions necessary for a storage task to perform all data operations. If you prefer to use a custom role, you must make sure that your role contains the RBAC actions necessary to perform the operations. The following table shows the RBAC actions required by each operation.

| Permission | RBAC actions for a custom role | |---|---|---| | SetBlobTier | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | SetBlobExpiry |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | | SetBlobTags |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | | SetBlobImmutabilityPolicy |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Microsoft.Storage/storageAccounts/blobServices/containers/write | | SetBlobLegalHold |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Microsoft.Storage/storageAccounts/blobServices/containers/write | | DeleteBlob |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | | UndeleteBlob |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Microsoft.Storage/storageAccounts/blobServices/containers/write |

See also