限制用户仅允许为存储帐户生成 SAS 令牌

tag-icon tag-icon azure
限制用户仅允许为存储帐户生成 SAS 令牌

我想允许我们的帮助台为一个存储帐户生成 SAS 令牌。(它是存储 SQL 备份的地方,帮助台有时需要提取它们)我不希望帮助台能够创建或删除容器等。或者对存储帐户进行更改。

我已经创建了一个我认为合理的角色模板,但是我的测试帐户仍然可以添加容器,上传文件并对存储帐户配置进行一些更改。

我错过了什么?

{
"properties": {
    "roleName": "Helpdesk Generate SAS Key Access",
    "description": "Gives limited access to the storage account can generate SA level SAS tokens",
    "assignableScopes": [
        "/subscriptions/xxxxxxx"
    ],
    "permissions": [
        {
            "actions": [
                "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
                "Microsoft.Storage/storageAccounts/listkeys/action"
            ],
            "notActions": [
                "Microsoft.Storage/storageAccounts/blobServices/write",
                "Microsoft.Storage/storageAccounts/blobServices/read",
                "Microsoft.Storage/storageAccounts/blobServices/containers/write",
                "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
                "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                "Microsoft.Storage/storageAccounts/blobServices/containers/lease/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/clearLegalHold/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/setLegalHold/action",
                "Microsoft.Storage/storageAccounts/write",
                "Microsoft.Storage/storageAccounts/queueServices/queues/delete",
                "Microsoft.Storage/storageAccounts/queueServices/queues/read",
                "Microsoft.Storage/storageAccounts/queueServices/queues/write",
                "Microsoft.Storage/storageAccounts/tableServices/read",
                "Microsoft.Storage/storageAccounts/tableServices/write",
                "Microsoft.Storage/storageAccounts/tableServices/tables/delete",
                "Microsoft.Storage/storageAccounts/tableServices/tables/write",
                "Microsoft.Storage/storageAccounts/tableServices/tables/read"
            ],
            "dataActions": [],
            "notDataActions": [
                "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
                "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
                "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",
                "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action",
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action",
                "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
                "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
                "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
                "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action",
                "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
            ]
        }
    ]
}

}

相关内容