Custom Role Permission to allow read on Azure storage account Queue

Question

User has been assigned a custom role with below Actions on an Azure storage account but user sees This request is not authorized to perform this operation:

{
    "id": ..,
    "properties": {
        "roleName": "ContributorBPMD(custom)",
        "description": ..
        "assignableScopes": [
            "/providers/Microsoft.Management/managementGroups/XXX"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [
                    "notActions": [
                    ...
                    "Microsoft.Sql/servers/virtualNetworkRules/write",
                    "Microsoft.Storage/storageAccounts/delete",
                    "Microsoft.Storage/locations/deleteVirtualNetworkOrSubnets/action",
                    "Microsoft.Storage/storageAccounts/privateEndpointConnections/delete",
                    "Microsoft.Storage/storageAccounts/privateEndpointConnections/write",
                    ...
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

I don't see any not allowed actions for Microsoft.storageAccounts/queueServices/*. What is missing?

Answer 1

The reason the user is getting this error is because reading from queue is a data plane operation and no permissions are defined in dataActions in the custom role.

Simplest way to solve this problem would be to assign Storage Queue Data Reader role to the user or add "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read" permission in dataActions in the custom role.