stackoom
  简体   繁体   中英

What are the Azure IAM permissions for storage account lifecycle policy management to work?

 原文  2022-08-24 20:44:15       azure/ storage/ lifecycle/ policy/ identity-management

Question

Added a policy in my test subscription and it works as expected. The same policy at my PROD sub work does not do anything, it should move blobs to the cool access tier from hot. On my test sub I have owner rights and storage blob data contributor rights. On my PROD sub I have storage account contributor and storage blob data owner, should I also add storage blob data contributor rights?. Wouldn't that be included in storage account contributor?

1 answers

solution1
 1  2022-08-25 10:31:29

In order to work with Azure Storage Account Life Cycle Management policies, you need role that includes Microsoft.Storage/storageAccounts/managementPolicies/write permission.

The valid roles that allow you to work with Life Cycle Management policies are:

  • Owner - It grants you full access to manage all resources along with assigning roles.
  • Contributor - It won't allow you to assign roles but grants full access to manage all resources.
  • Storage Account Contributor - It grants you full access to manage storage accounts(only).

As your Test subscription has Owner rights, it allowed you to manage Life Cycle Management policies.

To confirm this, click on the role and check for storage management policies:

在此处输入图像描述

There is no need to assign Storage Blob Data Contributor role to Prod subscription as it already has Storage Account Contributor role that includes below actions:

在此处输入图像描述

I tried to reproduce the same in my environment by assigning Storage Account Contributor role and got below results.

I created a Life Cycle Management policy to move blobs to the cool access tier from hot tier like below:

Go to Azure Portal -> Storage Accounts -> Your account -> Lifecycle management -> Add a role

在此处输入图像描述

When I checked the blobs, they are still in Hot access tier like below:

在此处输入图像描述

As I created the policy recently, it may take upto 48 hrs to be effective as mentioned below:

在此处输入图像描述

If that's your case, please wait for intended time period and check after a couple of days. I'll update you whether the blobs moved to cool access tier from hot tier or not in a couple of days.

References:

Managing the lifecycle policies - Azure Storage | Microsoft Docs

Azure built-in roles - Azure RBAC | Microsoft Docs

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to access and create lifecycle rules/lifecycle management policy for azure storage account through java code Azure Blob storage lifecycle management Azure storage account - How to identify lifecycle management delete operation logs from other storage account diagnostic delete logs Azure Storage Account Lifecycle Management filter prefix for blobs in dynamically created sub-directories Can I add Lifecycle management rule to all Azure Storage accounts in my account? Azure Blob Storage Lifecycle Management - embedded folders Azure Blob Storage Lifecycle Management - filter on folder AZURE blob storage v2 lifecycle management Azure Storage - Data Lake Lifecycle Management question How to exclude a container in azure storage lifecycle management?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM