1# Storage - Access Patterns
2 
3## Prerequisites for Granting Storage Access
4 
5> ⚠️ **Important**: To assign storage roles to managed identities, you need:
6> - **User Access Administrator** or **Owner** role on the Storage Account (or parent resource group/subscription)
7> - The role must include the `Microsoft.Authorization/roleAssignments/write` permission
8 
9**Common scenarios**:
10- Granting Storage Blob Data Owner to a Web App or Function App's managed identity (System Assigned or User Assigned)
11- Adding read/write access to blobs, queues, and tables for application workloads
12- Allowing user identities (developers, data admins) access in dev/test environments
13- Allowing applications to access storage using managed identity instead of connection strings
14 
15**Scope best practices**:
16- Grant roles at the **smallest scope possible** (e.g., specific storage account, not resource group or subscription)
17- Avoid broad scopes (Resource Group, Subscription, Tenant) unless absolutely necessary
18- Prefer resource-level assignments for production workloads
19 
20**Managed identity types**:
21- **System Assigned**: Automatically created with the resource (Web App, Function). Default when using `DefaultAzureCredential`.
22- **User Assigned**: Standalone identity that can be shared across resources. Requires additional configuration:
23  - Set `AZURE_CLIENT_ID` app setting to the User Assigned Managed Identity's client ID
24  - Configure identity in Bicep with both `type: 'SystemAssigned, UserAssigned'` and `userAssignedIdentities`
25 
26If you encounter `AuthorizationFailed` errors when assigning roles, ensure you have User Access Administrator or Owner permissions at the target scope.
27 
28## Managed Identity Role Assignment
29 
30```bicep
31resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
32  name: guid(storageAccount.id, principalId, 'Storage Blob Data Contributor')
33  scope: storageAccount
34  properties: {
35    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
36    principalId: principalId
37    principalType: 'ServicePrincipal'
38  }
39}
40```
41 
42## Storage Roles
43 
44| Role | Permissions |
45|------|-------------|
46| Storage Blob Data Reader | Read blobs |
47| Storage Blob Data Contributor | Read/write blobs |
48| Storage Queue Data Contributor | Read/write queues |
49| Storage Table Data Contributor | Read/write tables |
50 
51## SDK Connection Patterns
52 
53### Node.js
54 
55```javascript
56const { BlobServiceClient } = require("@azure/storage-blob");
57 
58const blobServiceClient = BlobServiceClient.fromConnectionString(
59  process.env.AZURE_STORAGE_CONNECTION_STRING
60);
61const containerClient = blobServiceClient.getContainerClient("uploads");
62```
63 
64### Python
65 
66```python
67from azure.storage.blob import BlobServiceClient
68 
69blob_service_client = BlobServiceClient.from_connection_string(
70    os.environ["AZURE_STORAGE_CONNECTION_STRING"]
71)
72container_client = blob_service_client.get_container_client("uploads")
73```
74 
75### .NET
76 
77```csharp
78var blobServiceClient = new BlobServiceClient(
79    Environment.GetEnvironmentVariable("AZURE_STORAGE_CONNECTION_STRING")
80);
81var containerClient = blobServiceClient.GetBlobContainerClient("uploads");
82```
83 
84## Managed Identity Access
85 
86Use `DefaultAzureCredential` for local development (in production, use `ManagedIdentityCredential` — see [auth-best-practices.md](../../auth-best-practices.md)):
87 
88```javascript
89const { DefaultAzureCredential } = require("@azure/identity");
90const { BlobServiceClient } = require("@azure/storage-blob");
91 
92const client = new BlobServiceClient(
93  `https://${accountName}.blob.core.windows.net`,
94  new DefaultAzureCredential()
95);
96```
97