Revise role assignment for Translator resource#739
Conversation
Updated role assignment instructions to include both 'Storage Blob Data Reader' and 'Storage Blob Data Contributor' roles for the managed identity and Translator resource, per this answer: https://learn.microsoft.com/en-us/answers/questions/2111402/error-(invaliddocumentaccesslevel)-cannot-access-s . It fails without the explicit granting of Storage Blob Data Reader
|
@HiltonGiesenow : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
|
Learn Build status updates of commit 05b6996: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
Bot
added
the
aq-pr-triaged
There was a problem hiding this comment.
Pull request overview
This PR updates the Translator v3 connector document-translation flow tutorial to reflect that the Translator resource’s system-assigned managed identity needs both Storage Blob Data Reader and Storage Blob Data Contributor role assignments to reliably access Azure Blob Storage during document translation.
Changes:
- Update the role assignment guidance to include Storage Blob Data Reader in addition to Storage Blob Data Contributor.
- Expand the role assignment steps to instruct adding the Reader role first, then adding the Contributor role.
| #### Role assignment | ||
|
|
||
| Next, assign a **`Storage Blob Data Contributor`** role to the managed identity *at the* storage scope for your storage resource. | ||
| Next, assign the **`Storage Blob Data Reader`** and **`Storage Blob Data Contributor`** roles to the managed identity at the storage scope for your storage resource. |
| :::image type="content" source="../../media/managed-identities/azure-role-assignments-page-portal.png" alt-text="Screenshot: Azure role assignments page in the Azure portal."::: | ||
|
|
||
| 1. Finally, assign a **Storage Blob Data Contributor** role to your Translator resource. The **Storage Blob Data Contributor** role gives Translator (represented by the system-assigned managed identity) read, write, and delete access to the blob container and data. In the **`Add role assignment`** pop-up window, complete the fields as follows and select **Save**: | ||
| 1. Finally, assign both **Storage Blob Data Reader** and **Storage Blob Data Contributor** roles to your Translator resource. The **Storage Blob Data Reader** role gives Translator (represented by the system-assigned managed identity) read access to the source container and blobs and the **Storage Blob Data Contributor** role gives Translator read, write, and delete access to the destination blob container and data. To start, assign the **Storage Blob Data Reader** role as follows: In the **`Add role assignment`** pop-up window, complete the fields as follows and select **Save**: |
| |**Subscription**| ***The subscription associated with your storage resource***.| | ||
| |**Resource**| ***The name of your storage resource***. | ||
| |**Role** | ***Storage Blob Data Contributor***.| | ||
| |**Role** | ***Storage Blob Data Reader***.| |
|
|
||
| :::image type="content" source="../../media/managed-identities/assigned-roles-window.png" alt-text="Screenshot: Azure role assignments window."::: | ||
|
|
||
| 1. Repeat the previous 3 steps for the **Storage Blob Data Contributor** role. |
|
This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions. |
|
@HiltonGiesenow : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
Updated role assignment instructions to include both 'Storage Blob Data Reader' and 'Storage Blob Data Contributor' roles for the managed identity and Translator resource, per this answer: https://learn.microsoft.com/en-us/answers/questions/2111402/error-(invaliddocumentaccesslevel)-cannot-access-s . It fails without the explicit granting of Storage Blob Data Reader