Question 108226 in Azure Question posted in
The official documentation to get you started can be found here.

What is the difference between a Contributor role and Storage Account Contributor role in Azure AD?

In Azure, I have an admin role. In Active Directory, I have added a new user. I need to grant permission to a user to access our storage account as a contributor role. I’m confused between the contributor and storage account contributor roles. What if I granted permission to my storage account only for the contributor role rather than the storage account contributor roles? And what will happen if I give permission for either one or both roles? Can someone explain it to me clearly?

Tags:

3

Answers


  1. 0

    The difference is the scope of the permissions.

    The general Contributor Role :

    Grants full access to manage all resources

    The storage account contributor:

    Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.

    (docs)

    So if you want to limit a user to only be able to manage specific resource types asssign them those specific service contributor roles.

    Both can also access the data inside the storage account because they have access to the account key.

    Login or Signup to reply.
  2. 0

    A Storage Account Contributor role enables a user to manage almost all aspects of a storage account (e.g update storage account, read access keys, regenerate access keys, and even delete storage account etc.).

    A Contributor role has a much larger scope and it enables a user to manage almost all aspects of any resource in an Azure Subscription.

    Now coming to your questions:

    What if I granted permission to my storage account only for the
    contributor role rather than the storage account contributor roles?

    Considering you are scoping the role to a storage account only, I believe it would be the same.

    And what will happen if I give permission for either one or both
    roles?

    If you assign both roles (Contributor and Storage Account Contributor) to a resource normally the higher role (Contributor in this case) prevails. However in this scenario since you are scoping the role to a storage account only, I believe it would be the same.

    Login or Signup to reply.
  3. 0

    I don’t have enough reputation (needs 50) to add a comment, therefore posting this as an answer.
    The Contributor and Storage Account Contributor is different when it comes to the Synapse pipeline activities – it generally requires the Storage Account Contributor role.

    For example: A query that works in the Develop SQL script can fail in the Pipeline script activity, when its linked service uses system managed identity authentication, and the system managed identity has the contributor role, but not the storage account contributor role. When this happens, you will see pipeline activity error code like "content of directory on path ‘…’ cannot be listed".

    For more information, please view Trouble with Azure Synapse: pipeline cannot execute a stored procedure that works in Develop script

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search