Azure Documentation

Azure Storage Blobs: Access Permissions

This tutorial demonstrates how to manage access permissions for blobs in Azure Storage. Securely controlling access to your data is crucial for maintaining the integrity and privacy of your applications.

Understanding Access Control in Azure Blob Storage

Azure Blob Storage offers several mechanisms to control who can access your blob data. The primary methods include:

• Access Control Lists (ACLs): For fine-grained control at the container or blob level using Shared Access Signatures (SAS) and Azure Role-Based Access Control (RBAC).
• Shared Access Signatures (SAS): Provide delegated access to resources in your storage account, allowing clients to make requests with specific permissions and for a limited time.
• Azure Role-Based Access Control (RBAC): Assigns roles to users, groups, or service principals to grant access to Azure resources, including storage accounts.

Creating and Managing Shared Access Signatures (SAS)

SAS tokens are a powerful way to delegate access without sharing your account keys. You can generate SAS tokens for service, container, or blob levels.

Generating a Blob SAS Token using Azure CLI

Here's an example of how to generate a blob SAS token with read permissions for 1 hour using the Azure CLI:

az storage blob generate-sas \
  --account-name mystorageaccount \
  --container-name mycontainer \
  --name myblob.txt \
  --permissions r \
  --expiry 2024-12-31T10:00:00Z \
  --output tsv
        

The output will be a SAS token that you can append to the blob's URL.

Generating a Container SAS Token

Similarly, you can generate a SAS token for an entire container:

az storage container generate-sas \
  --account-name mystorageaccount \
  --name mycontainer \
  --permissions r \
  --expiry 2024-12-31T10:00:00Z \
  --output tsv
        

Using Azure RBAC for Storage Access

RBAC allows you to grant broad permissions to individuals or services. Common roles for storage include:

• Storage Blob Data Reader: Allows read access to blob data.
• Storage Blob Data Contributor: Allows read, write, and delete access to blob data.
• Storage Blob Data Owner: Full control over blob data, including managing access policies.

Assigning a Role using Azure Portal

1. Navigate to your storage account in the Azure portal.
2. Under Access control (IAM), select Add > Add role assignment.
3. Choose the desired role (e.g., Storage Blob Data Reader).
4. Select the members (users, groups, or service principals) to assign the role to.
5. Click Save.

Container Access Levels

Azure Blob Storage supports different public access levels for containers:

• Private (No anonymous access): Access is restricted to authenticated users. This is the default and most secure option.
• Blob (Anonymous read access for blobs): Anonymous users can read the blobs within the container, but container metadata is not accessible.
• Container (Anonymous read access for containers and blobs): Anonymous users can read blobs and container metadata.

Setting Container Access Level using Azure Portal

1. Navigate to your storage account in the Azure portal.
2. Under Data storage, select Containers.
3. Click on the container you want to configure.
4. In the container's overview page, click Change access level.
5. Select the desired public access level and click OK.

Best Practices for Blob Access Permissions

• Principle of Least Privilege: Grant only the permissions necessary for a user or application to perform its task.
• Use SAS for Temporary Access: SAS tokens are ideal for granting time-limited access to specific resources.
• Leverage RBAC for Long-Term Access: Use RBAC for managing access for users and applications that require ongoing permissions.
• Regularly Review Permissions: Periodically audit access permissions to ensure they are still appropriate and remove any unnecessary access.
• Secure Your Account Keys: Never share your storage account access keys directly. Use managed identities or SAS tokens whenever possible.