In Azure, I have an admin role. In Active Directory, I have added a new user. I need to grant permission to a user to access our storage account as a contributor role. I'm confused between the contributor and storage account contributor roles. What if I granted permission to my storage account only for the contributor role rather than the storage account contributor roles? And what will happen if I give permission for either one or both roles? Can someone explain it to me clearly?
CodePudding user response:
The difference is the scope of the permissions.
The general Contributor Role :
Grants full access to manage all resources
The storage account contributor:
Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.
(docs)
So if you want to limit a user to only be able to manage specific resource types asssign them those specific service contributor roles.
Both can also access the data inside the storage account because they have access to the account key.
CodePudding user response:
A Storage Account Contributor role enables a user to manage almost all aspects of a storage account (e.g update storage account, read access keys, regenerate access keys, and even delete storage account etc.).
A Contributor role has a much larger scope and it enables a user to manage almost all aspects of any resource in an Azure Subscription.
Now coming to your questions:
What if I granted permission to my storage account only for the contributor role rather than the storage account contributor roles?
Considering you are scoping the role to a storage account only, I believe it would be the same.
And what will happen if I give permission for either one or both roles?
If you assign both roles (Contributor and Storage Account Contributor) to a resource normally the higher role (Contributor in this case) prevails. However in this scenario since you are scoping the role to a storage account only, I believe it would be the same.