Search code examples
azurestoragelifecyclepolicyidentity-management

What are the Azure IAM permissions for storage account lifecycle policy management to work?

Added a policy in my test subscription and it works as expected. The same policy at my PROD sub work does not do anything, it should move blobs to the cool access tier from hot. On my test sub I have owner rights and storage blob data contributor rights. On my PROD sub I have storage account contributor and storage blob data owner, should I also add storage blob data contributor rights?. Wouldn't that be included in storage account contributor?

Solution

  • In order to work with Azure Storage Account Life Cycle Management policies, you need role that includes Microsoft.Storage/storageAccounts/managementPolicies/write permission.

    The valid roles that allow you to work with Life Cycle Management policies are:

    • Owner - It grants you full access to manage all resources along with assigning roles.
    • Contributor - It won't allow you to assign roles but grants full access to manage all resources.
    • Storage Account Contributor - It grants you full access to manage storage accounts(only).

    As your Test subscription has Owner rights, it allowed you to manage Life Cycle Management policies.

    To confirm this, click on the role and check for storage management policies:

    enter image description here

    There is no need to assign Storage Blob Data Contributor role to Prod subscription as it already has Storage Account Contributor role that includes below actions:

    enter image description here

    I tried to reproduce the same in my environment by assigning Storage Account Contributor role and got below results.

    I created a Life Cycle Management policy to move blobs to the cool access tier from hot tier like below:

    Go to Azure Portal -> Storage Accounts -> Your account -> Lifecycle management -> Add a role

    enter image description here

    When I checked the blobs, they are still in Hot access tier like below:

    enter image description here

    As I created the policy recently, it may take upto 48 hrs to be effective as mentioned below:

    enter image description here

    If that's your case, please wait for intended time period and check after a couple of days.

    Blobs moved to cool access tier from hot when I checked after a few days like below:

    enter image description here

    UPDATE:

    Please check the below note from this Microsoft Doc that confirms management policies will be blocked if firewall rules are enabled for your storage account.

    enter image description here

    You need to select exception as below that allows access to trusted Azure services:

    enter image description here

    References:

    Grant access to trusted azure services | Microsoft Docs

    Managing the lifecycle policies - Azure Storage | Microsoft Docs