You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/common/storage-account-keys-manage.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ author: tamram
7
7
8
8
ms.service: storage
9
9
ms.topic: how-to
10
-
ms.date: 12/18/2019
10
+
ms.date: 03/31/2020
11
11
ms.author: tamram
12
12
---
13
13
@@ -49,6 +49,8 @@ Follow this process to rotate your storage account keys:
49
49
> [!NOTE]
50
50
> Microsoft recommends using only one of the keys in all of your applications at the same time. If you use Key 1 in some places and Key 2 in others, you will not be able to rotate your keys without some application losing access.
51
51
52
+
To rotate an account's access keys, the user must either be a Service Administrator, or must be assigned an RBAC role that includes the **Microsoft.Storage/storageAccounts/regeneratekey/action**. Some built-in RBAC roles that include this action are the **Owner**, **Contributor**, and **Storage Account Key Operator Service Role** roles. For more information about the Service Administrator role, see [Classic subscription administrator roles, Azure RBAC roles, and Azure AD roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). For detailed information about built-in RBAC roles for Azure Storage, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage).
Copy file name to clipboardExpand all lines: articles/storage/common/storage-auth-aad-rbac-portal.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ author: tamram
7
7
8
8
ms.service: storage
9
9
ms.topic: how-to
10
-
ms.date: 01/10/2020
10
+
ms.date: 03/31/2020
11
11
ms.author: tamram
12
12
ms.reviewer: cbrooks
13
13
ms.subservice: common
@@ -19,13 +19,13 @@ Azure Active Directory (Azure AD) authorizes access rights to secured resources
19
19
20
20
When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).
21
21
22
-
This article describes how to use the Azure portal to assign RBAC roles. The Azure portal provides a simple interface for assigning RBAC roles and managing access to your storage resources. You can also assign RBAC roles for blob and queue resources using Azure command-line tools or the Azure Storage management APIs. For more information about RBAC roles for storage resources, see [Authenticate access to Azure blobs and queues using Azure Active Directory](storage-auth-aad.md).
22
+
This article describes how to use the Azure portal to assign RBAC roles. The Azure portal provides a simple interface for assigning RBAC roles and managing access to your storage resources. You can also assign RBAC roles for blob and queue resources using Azure command-line tools or the Azure Storage management APIs. For more information about RBAC roles for storage resources, see [Authenticate access to Azure blobs and queues using Azure Active Directory](storage-auth-aad.md).
@@ -48,11 +48,11 @@ The following sections describe each of these steps in more detail.
48
48
49
49
Before you assign a role to a security principal, be sure to consider the scope of the permissions you are granting. Review the [Determine resource scope](#determine-resource-scope) section to decide the appropriate scope.
50
50
51
-
The procedure shown here assigns a role scoped to a container, but you can follow the same steps to assign a role scoped to a queue:
51
+
The procedure shown here assigns a role scoped to a container, but you can follow the same steps to assign a role scoped to a queue:
52
52
53
53
1. In the [Azure portal](https://portal.azure.com), go to your storage account and display the **Overview** for the account.
54
-
1. Under Services, select **Blobs**.
55
-
1. Locate the container for which you want to assign a role, and display the container's settings.
54
+
1. Under Services, select **Blobs**.
55
+
1. Locate the container for which you want to assign a role, and display the container's settings.
56
56
1. Select **Access control (IAM)** to display access control settings for the container. Select the **Role assignments** tab to see the list of role assignments.
57
57
58
58
Copy file name to clipboardExpand all lines: includes/storage-auth-rbac-roles-include.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,6 +20,8 @@ Azure provides the following built-in RBAC roles for authorizing access to blob
20
20
-[Storage Queue Data Message Processor](../articles/role-based-access-control/built-in-roles.md#storage-queue-data-message-processor): Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
21
21
-[Storage Queue Data Message Sender](../articles/role-based-access-control/built-in-roles.md#storage-queue-data-message-sender): Use to grant add permissions to messages in Azure Storage queues.
22
22
23
+
For detailed information about built-in RBAC roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../articles/role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Classic subscription administrator roles, Azure RBAC roles, and Azure AD roles](../articles/role-based-access-control/rbac-and-directory-admin-roles.md).
24
+
23
25
> [!NOTE]
24
26
> RBAC role assignments may take up to five minutes to propagate.
Copy file name to clipboardExpand all lines: includes/storage-view-keys-include.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,3 +21,5 @@ To view and copy your storage account access keys or connection string from the
21
21
22
22
23
23
You can use either key to access Azure Storage, but in general it's a good practice to use the first key, and reserve the use of the second key for when you are rotating keys.
24
+
25
+
To view or read an account's access keys, the user must either be a Service Administrator, or must be assigned an RBAC role that includes the **Microsoft.Storage/storageAccounts/listkeys/action**. Some built-in RBAC roles that include this action are the **Owner**, **Contributor**, and **Storage Account Key Operator Service Role** roles. For more information about the Service Administrator role, see [Classic subscription administrator roles, Azure RBAC roles, and Azure AD roles](../articles/role-based-access-control/rbac-and-directory-admin-roles.md). For detailed information about built-in roles for Azure Storage, see the **Storage** section in [Azure built-in roles for Azure RBAC](../articles/role-based-access-control/built-in-roles.md#storage).
0 commit comments