| title | include file |
|---|---|
| description | include file |
| services | storage |
| author | alexwolfmsft |
| ms.service | azure-storage |
| ms.topic | include |
| ms.date | 10/11/2022 |
| ms.author | alexwolf |
| ms.custom | include file |
When developing locally, make sure that the user account that is accessing the queue data has the correct permissions. You'll need Storage Queue Data Contributor to read and write queue data. To assign yourself this role, you'll need to be assigned the User Access Administrator role, or another role that includes the Microsoft.Authorization/roleAssignments/write action. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. You can learn more about the available scopes for role assignments on the scope overview page.
In this scenario, you'll assign permissions to your user account, scoped to the storage account, to follow the Principle of Least Privilege. This practice gives users only the minimum permissions needed and creates more secure production environments.
The following example will assign the Storage Queue Data Contributor role to your user account, which provides both read and write access to queue data in your storage account.
Important
In most cases it will take a minute or two for the role assignment to propagate in Azure, but in rare cases it may take up to eight minutes. If you receive authentication errors when you first run your code, wait a few moments and try again.
-
In the Azure portal, locate your storage account using the main search bar or left navigation.
-
On the storage account overview page, select Access control (IAM) from the left-hand menu.
-
On the Access control (IAM) page, select the Role assignments tab.
-
Select + Add from the top menu and then Add role assignment from the resulting drop-down menu.
:::image type="content" source="../../../articles/storage/common/media/assign-role-system-identity.png" alt-text="A screenshot showing how to assign a role.":::
-
Use the search box to filter the results to the desired role. For this example, search for Storage Queue Data Contributor and select the matching result and then choose Next.
-
Under Assign access to, select User, group, or service principal, and then choose + Select members.
-
In the dialog, search for your Microsoft Entra username (usually your user@domain email address) and then choose Select at the bottom of the dialog.
-
Select Review + assign to go to the final page, and then Review + assign again to complete the process.
To assign a role at the resource level using the Azure CLI, you first must retrieve the resource id using the az storage account show command. You can filter the output properties using the --query parameter.
az storage account show --resource-group '<your-resource-group-name>' --name '<your-storage-account-name>' --query id
Copy the output Id from the preceding command. You can then assign roles using the az role command of the Azure CLI.
az role assignment create --assignee "<user@domain>" \
--role "Storage Queue Data Contributor" \
--scope "<your-resource-id>"
To assign a role at the resource level using Azure PowerShell, you first must retrieve the resource ID using the Get-AzResource command.
Get-AzResource -ResourceGroupName "<yourResourceGroupname>" -Name "<yourStorageAccountName>"
Copy the Id value from the preceding command output. You can then assign roles using the New-AzRoleAssignment command in PowerShell.
New-AzRoleAssignment -SignInName <user@domain> `
-RoleDefinitionName "Storage Queue Data Contributor" `
-Scope <yourStorageAccountId>