Я хочу разрешить нашей службе поддержки создавать токены SAS для одной учетной записи хранения. (Здесь хранятся резервные копии SQL, и службе поддержки иногда необходимо их извлекать) Я не хочу, чтобы служба поддержки могла создавать или удалять контейнеры и т. Д. Или вносить изменения в учетную запись хранения.
Я создал то, что мне кажется подходящим шаблоном роли для этого, однако моя тестовая учетная запись все еще может добавлять контейнеры, загружать файлы и вносить некоторые изменения в конфигурацию учетной записи хранения.
Что мне не хватает?
{
"properties": {
"roleName": "Helpdesk Generate SAS Key Access",
"description": "Gives limited access to the storage account can generate SA level SAS tokens",
"assignableScopes": [
"/subscriptions/xxxxxxx"
],
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
"Microsoft.Storage/storageAccounts/listkeys/action"
],
"notActions": [
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/lease/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/clearLegalHold/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/setLegalHold/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/write",
"Microsoft.Storage/storageAccounts/tableServices/read",
"Microsoft.Storage/storageAccounts/tableServices/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/delete",
"Microsoft.Storage/storageAccounts/tableServices/tables/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/read"
],
"dataActions": [],
"notDataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
]
}
]
}
}