Setting Managed Identity for Azure BLOBs

For my Azure Storage Account | BLOBs, I want to use a Managed Identity so that my web app can:

1. Create the needed containers if they don't already exist
2. CRUD BLOBs, with metadata set for them
3. Create a Read access SAS for private BLOBs

Is Storage Blob Data Contributor the correct role to assign?

And what Job function roles or Privileged administrator roles should I set for a user that needs the ability to do anything?

Is Storage Blob Data Contributor the correct role to assign?

Yes, for the 3 tasks you mentioned this role should be sufficient. However, please note that you can only create User Delegation SAS using Storage Blob Data Contributor role. If you want to create a Service SAS or Account SAS, you would need storage account key.

Please see these links for more details for Storage Blob Data Contributor role:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor

https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-blob-service-operations