How to assign Storage Blob Data Owner role to a user of a storage account

[landscapepainter]

I'm currently creating a storage account using the following script:

                from azure.mgmt.storage import StorageManagementClient
                self.storage_client = StorageManagementClient(credential, subscription_id)
                self.storage_client.storage_accounts.begin_create(
                    self.resource_group_name, self.storage_account_name, {
                        'sku': {
                            'name': 'Standard_GRS'
                        },
                        'kind': 'StorageV2',
                        'location': self.region,
                        'encryption': {
                            'services': {
                                'blob': {
                                    'key_type': 'Account',
                                    'enabled': True
                                }
                            },
                            'key_source': 'Microsoft.Storage'
                        },
                    }).result()

What's a good way to assign Storage Blob Data Owner role to the user of this storage account after creating with this script?

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @jalauzon-msft @vincenttran-msft.

[swathipil]

Hi @landscapepainter - Thanks for opening an issue! We'll take a look asap!

As far as I know, the azure-mgmt-authorization SDK can be used to assign roles. Sample here.

@msyyc - Do you know of a better option?

[msyyc]

Add @ChenxiJiang333 for help.

[ChenxiJiang333]

Hi, @landscapepainter If you want to assign the built-in role Storage Blob Data Owner, its definition id is b7e6dc6d-f1e8-4753-8033-0f276bb0955b. You can pass it to make the assignment though sdk azure-mgmt-authorization by adding the code below:

import uuid
from azure.mgmt.authorization import AuthorizationManagementClient
...
response = storage_client.storage_accounts.begin_create(...)
authorization_client = AuthorizationManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id={subscription_id},
    )
authorization_client.role_assignments.create(
        scope=response.id,
        role_assignment_name=uuid.uuid4(),
        parameters={
            "properties": {
                "principalId": {your own user's object id, which can be found on portal},
                "principalType": "User",
                "roleDefinitionId": "/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
            }
        },
    )

[github-actions]

Hi @landscapepainter. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[landscapepainter]

"/unresolve"

[landscapepainter]

@swathipil @msyyc @ChenxiJiang333 Thanks for the quick response! It seems like obtaining the object id is the key for the method @ChenxiJiang333 mentioned. Is there a way to obtain object id of the current user through python sdk script? We want to automate this process, so obtaining the object id from the portal is not ideal. Thanks!

[ChenxiJiang333]

Hi @landscapepainter
Try add this code to get your object id.

from msgraph import GraphServiceClient
import asyncio
graph_client = GraphServiceClient(DefaultAzureCredential())
async def get_object_id():
    user = await graph_client.users.with_url('https://graph.microsoft.com/v1.0/me').get()
    object_id = str(user.additional_data['id'])
    return object_id
object_id = asyncio.run(get_object_id())

[landscapepainter]

@ChenxiJiang333 Absolutely appreciate your answer. It works, but for me I had to use AzureCliCredential() instead. It'd be great if you can help to answer two more questions!

1. Is there like doc of sdk features or examples I can refer to? I wish I could have been able to discover the existance of GraphServiceClient by myself.
2. Is there a way to check if the current user has the specific role(in this case, Storage Blob Data Owner) to the specific storage account?

[ChenxiJiang333]

Hi @landscapepainter
For Graph examples, see https://learn.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0
To check the role assignment, you can use this function and add the parameter filter="assignedTo('your object id')"

[github-actions]

Hi @landscapepainter. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[github-actions]

Hi @landscapepainter, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.