On Tue, 9 May 2023 at 08:27, Greg Keogh via ozdotnet <ozdotnet@ozdotnet.com> wrote:
In the Select Members panel on the right, it'll show users and groups in
the list by default, but doesn't show applications. You may just need to search for the application service principal by name.
This morning I sit down with a freshly booted brain, and I've fixed it. You're right! ... The list on the right does not list apps, so I started typing "S u b..." into the search box and my app with that name prefix appears, and I can give the role okay. Now I'm confused ... did I not previously start typing into the search box? I can't believe I wouldn't have tried that in recent days, but maybe during all the fumbling around I didn't ... I dunno.
I assigned the role Reader to my app, but it died with permission failure trying to ListKeys (list the storage account keys). It's not obvious which Role I should use, so I gave-up and made it an Owner role and now it works (with overkill).
Following the principle of least privilege**, in addition to Reader you probably want to look at Reader and Data Access <https://learn.microsoft.com/en-au/azure/role-based-access-control/built-in-r...> for Storage Accounts which provides for the following additional actions that should suit your needs. "Microsoft.Storage/storageAccounts/*listKeys/action*", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" **Note that if the application can read the storage key then, depending on your configuration in regard to allowing storage key access, the application may have full read/write access to the storage account even with read-only RBAC applied.
*Greg*
[image: image.png] -- ozdotnet mailing list To manage your subscription, access archives: https://codify.mailman3.com/
