Create User delegation key from azure portal

Question

I try to create a User delegation key from azure portal.

No matter what privileges I'm assigning to myself, I hit the same error message

You don't have permissions to grant read access. You can still create a shared access signature, but you'll need an RBAC role with additional permissions before you can grant that level of access to your signature recipient.Learn more about Azure roles for access to blob data

So far I have the following the roles assigned :

And the link provided in the error message says I need one of the following :

• Contributor
• Storage Account Contributor
• Storage Blob Data Contributor
• Storage Blob Data Owner
• Storage Blob Data Reader
• Storage Blob Delegator

So it should work, but it doesn't. What am I missing ?

Answer 1

The error usually occurs if you don't have required roles/permissions assigned to create User delegation key.

Please note that in order to create user delegation key, ensure to have role that includes action like below:

Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey

The above action is included in the below roles:

• Storage Blob Data Contributor
• Storage Blob Data Owner
• Storage Blob Data Reader
• Storage Blob Delegator

Try assigning either Storage Blob Data Contributor / Storage Blob Data Owner roles as you didn't assign.

Please check at what scope you have assigned the role, make sure to assign the roles at the level of the storage account, the resource group, or the subscription.

I tried in my environment, and got the same error when the roles are not assigned:

After assigning the roles, I am able to create user delegation key successfully without errors.

If still the error persists, try creating an Azure Support ticket.

For more in detail, please refer below links:

Create SAS tokens for containers and blobs with the Azure portal | Microsoft Docs

azure-docs/storage-blob-user-delegation-sas-create-cli.md at main · MicrosoftDocs/azure-docs · GitHub