I am new to Azure Functions and I want to create a queue trigger Function to consume the items in specific queue. But when I create queue trigger function in vscode, it keeps show that I lack some permissions.
The client 'live.com#***@gmail.com' with object id '***' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/**/resourceGroups/***/providers/Microsoft.Storage/storageAccounts/***' or the scope is invalid. If access was recently granted, please refresh your credentials.
The permissions I am now obtaining for this queue are as follows:
The permissions I am now obtaining for the storage account are as follows:
I am confused that which kind of permissions I need to create a queue triggered function to consume items in specific queue?
Thank you!
CodePudding user response:
When creating a function from VS Code using the Azure SDK, it will try to get the access key of the storage: by default this how you can authenticate to the storage. The error you're receiving is saying that you don't have permission to list the storage access keys.
From this documentation, these are the roles that has the Microsoft.Storage/storageAccounts/listkeys/action RBAC action:
- The Reader and Data Access role
- The Storage Account Contributor role
- The Azure Resource Manager Contributor role
- The Azure Resource Manager Owner role
CodePudding user response:
Azure AD roles and Azure roles are the 2 different. You have to assign the Azure roles to the applications you're working.
It means, storage contributor role on the storage account application that in turn refers you have to grant the access to the service principal which is running your application to the storage contributor role on the storage account.
Yes! As Thomas said that the permissions required to the storage account access keys along with Storage Contributor role were Reader and Data Access, ARM Contributor and ARM Owner role.
I believe any one role from the above is required.
Refer to Azure storage account access keys for more information.