Use the storage account access key

To access file data with the storage account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. This Azure role may be a built-in role or a custom role. Built-in roles that support Microsoft.Storage/storageAccounts/listkeys/action include the following, listed in order from least to greatest permissions:

  • The Reader and Data Access role
  • The Storage Account Contributor role
  • The Azure Resource Manager Contributor role
  • The Azure Resource Manager Owner role

When you attempt to access file data in the Azure portal, the portal first checks whether you've been assigned a role with Microsoft.Storage/storageAccounts/listkeys/action. If you've been assigned a role with this action, then the portal uses the storage account key for accessing file data. If you haven't been assigned a role with this action, then the portal attempts to access data using your Microsoft Entra account.

When a storage account is locked with an Azure Resource Manager ReadOnly lock, the List Keys operation isn't permitted for that storage account. List Keys is a POST operation, and all POST operations are prevented when a ReadOnly lock is configured for the account. For this reason, when the account is locked with a ReadOnly lock, users must use Microsoft Entra credentials to access file data in the portal.

The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager Owner role. The Owner role includes all actions, including the Microsoft.Storage/storageAccounts/listkeys/action, so a user with one of these administrative roles can also access file data with the storage account key.


azure training courses malaysia

Comments

Popular posts from this blog

Azure built-in roles for tables

Explore Dataflows Gen2 in Microsoft Fabric

Select and configure an appropriate method for access to Azure Blobs