Our SQL Server backs up nightly to Blob storage.
I want some staff members (already in the Active Directory) to be able to view the list of backup files and download them to their machine. Then they can restore the database locally and test it.
These members should not be able to delete these blobs. (Obviously, having team members inadvertently deleting backups is a Bad Thing)
Is it possible to provide a group of users read access to a blob container?
I can bring up an Access Control (IAM) blade of the storage account, then assign a user the role of "Reader".
This user can now view the initial blade of the storage account.
But if he attempts to bring up the BLOB SERVICE \ Containers
blade, he is presented with the text "ACCESS DENIED".
Is there are some way I can assign the user read-access to the containers?
Best Answer
It is a by design behavior, Role
Reader
just can view every thing about resources, but can't change anything, can't read the files under the container.If you want to make users can reader files from this storage account, we should set role
owner
to those accounts.For now, Azure does not support this. If we want user can read files from storage account, we should set role
owner
. If we set user as owner, the user can remove files from that storage account.Even if we set
CanNotDelete
to that storage account, user still can remove files from it. The locks do not restrict how resources perform their own functions. Resource changes are restricted, but resource operations are not restricted.Here a similar case about you, please refer to my answer.
As a workaround, we can use
Azcopy
or other tool to download backup files to local storage(scheduled tasks), and let other users download backup files from local storage.