Container Access in Azure Blob Storage
Managing access to your Azure Blob Storage containers is crucial for security and data governance. Azure provides several mechanisms to control who can access your data and what actions they can perform.
On this page:
Container Access Levels
Each blob container can be configured with one of three public access levels:
- Private: No public access. All access must be authenticated. This is the default setting.
- Blob: Public read access for blobs only. Anonymous users can read blobs within the container, but cannot access container metadata or list blobs.
- Container: Public read access for containers and blobs. Anonymous users can list blobs within the container and read blob content.
You can set the container access level through the Azure portal, Azure CLI, PowerShell, or client libraries.
Setting Access Levels with Azure CLI
# Set to private
az storage container set-permission --account-name <storage-account-name> --name <container-name> --public-access off
# Set to blob access
az storage container set-permission --account-name <storage-account-name> --name <container-name> --public-access blob
# Set to container access
az storage container set-permission --account-name <storage-account-name> --name <container-name> --public-access container
Role-Based Access Control (RBAC)
Azure RBAC provides fine-grained access management to Azure resources, including storage accounts and containers. You can assign roles to users, groups, or service principals to grant them specific permissions.
Common roles for Blob Storage include:
- Storage Blob Data Owner: Full access to Blob Storage data, including read, write, and delete.
- Storage Blob Data Contributor: Read, write, and delete access to Blob Storage data.
- Storage Blob Data Reader: Read access to Blob Storage data.
RBAC is the recommended approach for managing access for authenticated users and applications within your Azure environment.
Shared Access Signatures (SAS)
Shared Access Signatures (SAS) provide a way to delegate limited access to objects in your storage account. A SAS is a URI that contains a security token in its query parameters. This token allows a client to access specific storage resources for a limited period of time, with specific permissions.
SAS tokens can be:
- Service SAS: Generated from a storage account key. Grants access to a specific service (blob, queue, table, or file).
- Account SAS: Generated from the storage account key. Grants access to one or more storage services, and can delegate permissions that are not available on a service SAS.
- User Delegation SAS: Generated using Azure AD credentials. Grants access to Blob Storage and File Storage resources. This is the most secure type of SAS.
Generating a SAS with Azure CLI
This example generates a SAS for a blob with read and write permissions, valid for 1 hour:
az storage blob generate-sas \
--account-name <storage-account-name> \
--container-name <container-name> \
--name <blob-name> \
--permissions rwc \
--expiry 2024-12-31T12:00:00Z \
--output tsv
The output will be a string containing the SAS token. You append this token to the blob's URI.
Access Control Lists (ACLs) for File Shares
While this document focuses on Blob Storage, it's worth noting that Azure Files (often managed alongside Blob Storage) uses Access Control Lists (ACLs) to manage file and directory permissions, similar to POSIX systems.
Best Practices for Container Access
- Principle of Least Privilege: Grant only the necessary permissions to users and applications.
- Use RBAC for Internal Access: Prefer RBAC for managing access for your organization's users and services.
- Use SAS for External/Temporary Access: Utilize SAS tokens for granting temporary, limited access to external parties or for specific application workflows.
- Monitor Access: Regularly review access logs and audit permissions to detect any unauthorized activity.
- Avoid Anonymous Public Access: Unless absolutely necessary for publicly distributed content, keep containers private.
- Secure Storage Account Keys: Treat your storage account keys as highly sensitive. Use Azure Key Vault to manage them.