How can we improve Azure Storage?

Azure Table Storage permissions to prevent deletion

It would be nice to be able to lock certain areas of Azure Storage to prevent operators/developers from deleting a table/container/queue by accident. Our specific need right now is for Azure Storage Tables but could potentially be for containers and queues. For example, it would be nice to lock a table to not allow deletion.

159 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Nate Pickett shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

8 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Dillon Brown commented  ·   ·  Flag as inappropriate

    This workaround is not much better than SAS, but if you stop short of giving the users full key access to the account and instead assign appropriate Data Action operations using RBAC, you can allow read, write etc. while preventing deletion.
    https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac?toc=%2fazure%2fstorage%2fqueues%2ftoc.json

  • Woutercx commented  ·   ·  Flag as inappropriate

    Please implement this. Shared Access Signatures don't generate an audit trail. I want to be able to give developers fine grained access (read rights) on production Blob storage/Table storage through Active Directory. Right now, there is a "Storage Blob Data Reader (Preview)" role, but when I give a user this role, in Storage Explorer I get the error "Could not obtain keys for Storage Account. Please check that you have the correct permissions", so this is not usable yet.

  • Mike commented  ·   ·  Flag as inappropriate

    Jeff,

    I was working with one of the Red Gate's tools, mainly Azure Explorer, and guess what? I accidentally deleted the whole container by accident! I thought my mouse has selected a blob, but it selected a container, and it was gone before I knew it...it was very, very bad. It would extremely helpful to have some kind of a programmatic, or a GUI way, to prevent deletions of containers. It simply too dangerous to have it like this. Good thing I was in staging...otherwise ALL the pictures of my customer's properties would have been GONE. So please, do consider this one seriously, container deletions, if set to be prevented, should be only allowed via special permissions, or a key/password of some sort. You'd be saving jobs, literally;)

    Thanks,
    Mike

  • Phamer commented  ·   ·  Flag as inappropriate

    I agree. We've already had one user accidentally delete a container and all the content! She's a nervous wreck that she might do it again. It would be nice if I could lock that container from deletion, than the worst she could is delete just a single blob.

  • István Hartung commented  ·   ·  Flag as inappropriate

    For our current needs it would be good to be able to lock an account to prevent both "update" and "delete" methods (or anything that modifies previously added data), and allow only "Insert" and "Select"...
    This would be very important to prevent application errors or any other problems.

  • Manu commented  ·   ·  Flag as inappropriate

    Almost all my customerts are complaining that storage is too open for mistake and hack.

  • Nate Pickett commented  ·   ·  Flag as inappropriate

    For tables, it would be nice to have a deletion lock that would prevent deleting any entity or deleting the whole table when the lock is enabled.

    For blobs, it would be nice to have a deletion lock that would prevent deleting any blob or deleting the whole container when the lock is enabled.

    For queue, it would be nice to have a deletion lock that would prevent deleting any message or deleting the whole queue when the lock is enabled.

    As I mentioned earlier, our need right now is only for table storage but I can see how this would be useful for other storage options.

Feedback and Knowledge Base