On Tue, 9 May 2023 at 08:27, Greg Keogh via ozdotnet <ozdotnet@ozdotnet.com> wrote:
> In the Select Members panel on the right, it'll show users and groups in >> the list by default, but doesn't show applications. You may just need to >> search for the application service principal by name. >> > > This morning I sit down with a freshly booted brain, and I've fixed it. > You're right! ... The list on the right does not list apps, so I started > typing "S u b..." into the search box and my app with that name prefix > appears, and I can give the role okay. Now I'm confused ... did I not > previously start typing into the search box? I can't believe I wouldn't > have tried that in recent days, but maybe during all the fumbling around I > didn't ... I dunno. > > I assigned the role Reader to my app, but it died with permission failure > trying to ListKeys (list the storage account keys). It's not obvious which > Role I should use, so I gave-up and made it an Owner role and now it works > (with overkill). > > Following the principle of least privilege**, in addition to Reader you probably want to look at Reader and Data Access <https://learn.microsoft.com/en-au/azure/role-based-access-control/built-in-roles#reader-and-data-access> for Storage Accounts which provides for the following additional actions that should suit your needs. "Microsoft.Storage/storageAccounts/*listKeys/action*", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" **Note that if the application can read the storage key then, depending on your configuration in regard to allowing storage key access, the application may have full read/write access to the storage account even with read-only RBAC applied. > *Greg* > > [image: image.png] > -- > ozdotnet mailing list > To manage your subscription, access archives: https://codify.mailman3.com/
