How to create Custom Read-Write role for Blob Storage in Azure

The best way is to use PowerShell Cloud Shell. Prepare environment:

cd \home
mkdir workingdir
cd workingdir

Write existing role to JSON format:

get-azroledefinition -Name “Storage Blob data Contributor”|ConvertTo-Json|Out-File ReadWriteRole.json

Edit the file by using (IsCustom set to true, put AssignableScope with correct subscription, delete unnecessary actions, give a new Name and description, Id is not important):

vi ReadWriteRole.json

{
“Name”: “Custom Role Storage Blob Read Write”,
“Id”: “ba92f5b4-2d11-453d-a403-e96b0029c9fe”,
“IsCustom”: true,
“Description”: “Custom Role Allows for read, write access to Azure Storage blob containers and data”,
“Actions”: [
“Microsoft.Storage/storageAccounts/blobServices/containers/read”,
“Microsoft.Storage/storageAccounts/blobServices/containers/write”,
“Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action”
],
“NotActions”: [],
“DataActions”: [
“Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read”,
“Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write”
],
“NotDataActions”: [],
“AssignableScopes”: [
“/subscriptions/4b1caf79-6e4c-49d-8160-5853298”
]
}

Exit editing file by pressing Escape, :, wq, enter

Add New Custom Role:

New-AzRoleDefinition -InputFile ReadWriteRole.json

Display All Custom Roles:

Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

And now you can use new Custom Role in Portal.

How to create Custom Read-Write role for Blob Storage in Azure

Added to Cart