This role grants the blob data permissions the automation job needs while avoiding storage account keys or SAS tokens. Assigning it at the container scope ensures the identity can work only inside the configs container and cannot touch unrelated containers. It is the narrowest assignment that still allows upload and overwrite operations, which makes it the best least-privilege choice.
Why this answer
The Storage Blob Data Contributor role at the container scope grants the managed identity the necessary permissions to upload and overwrite blobs (including JSON files) within the 'configs' container, while explicitly preventing listing, deleting, or modifying other containers in the storage account. This role includes the 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write' action, which allows overwriting existing blobs, but does not include any actions on the container itself (like listing or deleting containers) or on other containers. Scoping the role to the specific container ensures the principle of least privilege is strictly followed.
Exam trap
The trap here is that candidates often choose Storage Blob Data Owner at the storage account scope (Option B) because they think 'Owner' is necessary for overwriting files, but they overlook that 'Contributor' at the container scope already includes write permission and avoids granting excessive container management rights.
How to eliminate wrong answers
Option B is wrong because Storage Blob Data Owner at the storage account scope grants full control over all blobs and containers in the entire storage account, including the ability to list, delete, and modify any container, which violates the requirement to restrict access to only the 'configs' container. Option C is wrong because Contributor at the resource group scope provides full management access to all resources in the resource group, including the ability to delete the storage account itself, and does not restrict blob-level operations to a single container. Option D is wrong because Storage Queue Data Contributor is designed for Azure Queue storage (messages), not Blob storage (JSON files), and has no permissions to upload or overwrite blobs in a container.