I am trying to define a role that includes read and backup actions for an Azure SQL Server and all underlying databases.
The following configuration grants me all the required access, although it also permits all write and destructive operations:
actions = [ "Microsoft.Sql/*", "Microsoft.Storage/*"]
Even when these actions are assigned along with the predefined "Reader" role, I still encounter a "No access" error page when attempting to import a database through the Azure Portal. Surprisingly, these permissions are sufficient for importing the database via the Azure CLI.
I am seeking minimal roles that will enable me to import a database into Azure SQL through both the Portal and the CLI.
On the Azure SQL Database server, you need to have the SQL Server Contributor role or a custom role that grants you the Microsoft.Sql/servers/databases/import/action permission.
On the Azure Storage Account, you need to have the Storage Blob Data Reader role or a custom role that grants you the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read permission.
Finally, as per @Prebiusta findings, it is necessary to add the role Microsoft.Resources/deployments/write, scoped to at least the Resource Group or higher to avoid an Error 403 forbidden.