We have a number of Azure VMs with SQL Server and we utilize Backup to URL and create our database backups in an Azure storage account and Block Blob container. SQL uses a credential created from a SAS policy on the container that grants the permissions needed to backup/restore databases (i.e., 'read', 'write', 'list').
I want to create a new policy that can only be used to restore databases from backups -- i.e., RESTORE DATABASE works, but BACKUP DATABASE/LOG does not. I've tried giving 'read' and 'list' which, I assumed, would be sufficient for restores, but this does not work. I also tried giving all permissions except for 'write' (i.e., 'read', 'add', 'create', 'delete', 'list') and it still failed. It is only when I explicitly grant 'write' to the policy that I'm able to restore a database from backups.
Is there a way to create a shared access signature policy with permissions needed to restore a database from backup, but not create new backups? Or is 'write' access required to simply restore from existing backups?
Read/Write/Delete/List permissions are required for both backup and restore. There is a Tech Community article that outlines the requirements.
https://techcommunity.microsoft.com/t5/datacat/sql-server-backup-to-url-a-cheat-sheet/ba-p/346358