How to assign Storage Blob Data Owner role to a user of a storage account

Question

How to assign Storage Blob Data Owner role to a user of a storage account

landscapepainter opened this issue a month ago · 12 comments

I'm currently creating a storage account using the following script:

                from azure.mgmt.storage import StorageManagementClient
                self.storage_client = StorageManagementClient(credential, subscription_id)
                self.storage_client.storage_accounts.begin_create(
                    self.resource_group_name, self.storage_account_name, {
                        'sku': {
                            'name': 'Standard_GRS'
                        },
                        'kind': 'StorageV2',
                        'location': self.region,
                        'encryption': {
                            'services': {
                                'blob': {
                                    'key_type': 'Account',
                                    'enabled': True
                                }
                            },
                            'key_source': 'Microsoft.Storage'
                        },
                    }).result()

What's a good way to assign Storage Blob Data Owner role to the user of this storage account after creating with this script?

Answer 1 · 2024-05-10T08:00:02.000Z

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @jalauzon-msft @vincenttran-msft.

Answer 2 · 2024-05-10T21:58:46.000Z

Hi @landscapepainter - Thanks for opening an issue! We'll take a look asap!

As far as I know, the azure-mgmt-authorization SDK can be used to assign roles. Sample here.

@msyyc - Do you know of a better option?

Answer 3 · 2024-05-11T01:47:19.000Z

Add @ChenxiJiang333 for help.

Answer 4 · 2024-05-11T03:41:49.000Z

Hi, @landscapepainter If you want to assign the built-in role Storage Blob Data Owner, its definition id is b7e6dc6d-f1e8-4753-8033-0f276bb0955b. You can pass it to make the assignment though sdk azure-mgmt-authorization by adding the code below:

import uuid
from azure.mgmt.authorization import AuthorizationManagementClient
...
response = storage_client.storage_accounts.begin_create(...)
authorization_client = AuthorizationManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id={subscription_id},
    )
authorization_client.role_assignments.create(
        scope=response.id,
        role_assignment_name=uuid.uuid4(),
        parameters={
            "properties": {
                "principalId": {your own user's object id, which can be found on portal},
                "principalType": "User",
                "roleDefinitionId": "/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
            }
        },
    )

Answer 5 · 2024-05-13T17:03:04.000Z

Hi @landscapepainter. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.