Is there a way to create a deny assignment on management group level with an azure blueprint that prevent owner and contributor roles from reading blob storage content. In my specific case I want to store the terraform state and only want to grant the service principle read/write access. Owners and contributors should only be able to manage the storage. Is this possible with blueprints or in another way? And if yes, do you have some resources as I am lacking of information, thank you.
With Azure AD we can configure access rights with help of role-based access control where we can set permissions to access blob data.
Azure role is assigned to a security principal, then resources will get accessed with it. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.
Below is how we can do it with CLI:
az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee <email> \
--scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"
Now coming to deny the access we can restrict the access for resources to users or security principals.
Along with these we have few locking modes and states where we can set Read Only access to Resource Group where they cannot error or delete.
Below is how we can exclude an action from deny assignment with resource locking:
"locks": {
"mode": "AllResourcesDoNotDelete",
"excludedPrincipals": [
"7be2f100-3af5-4c15-bcb7-27ee43784a1f",
"38833b56-194d-420b-90ce-cff578296714"
],
"excludedActions": [
"Microsoft.ContainerRegistry/registries/push/write",
"Microsoft.Authorization/*/read"
]
},