I'm having trouble getting a new user with a Contributor role to access blob data in our Azure storage account. I've followed the instructions from Microsoft which state that users should be assigned a role with access to blob data, but even after adding this new user as a Contributor at both the subscription level and the storage account level, they can't see anything in the storage account. What might be going wrong? Am I missing something?
3 Answers
Historically, you needed specific roles like Storage Blob Data Contributor for access, but I’ve noticed some changes. It seems that the standard Contributor role might grant those same permissions if created after a specific date. Just be cautious, as it may not always work that way for every user.
It sounds like the problem is that the Contributor role doesn't allow for data actions. You need to assign them a role like 'Storage Blob Data Reader' or 'Storage Blob Data Contributor' to give them access to the blob data. Check out the link for details on assigning those roles!
So, aside from the specific blob roles, does that mean others just won't help with blob data at all?
Yep, that's right! Only those blob-specific roles will do the trick.
I had a similar issue once. We found that granting the user read access on the resource group helped a lot. Since the storage account was placed separately, they couldn't see it at all in Storage Explorer without that permission.
So you're saying Contributor may not fully allow data access unless created recently? That sounds confusing.