title | titleSuffix | description | author | ms.author | ms.service | ms.topic | ms.date | ms.reviewer |
---|---|---|---|---|---|---|---|---|
Actions and attributes for Azure role assignment conditions for Azure Blob Storage |
Azure Storage |
Supported actions and attributes for Azure role assignment conditions and Azure attribute-based access control (Azure ABAC) for Azure Blob Storage. |
pauljewellmsft |
pauljewell |
azure-blob-storage |
conceptual |
04/01/2024 |
nachakra |
This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Blob service operations that a specific permission or DataAction affects, see Permissions for Blob service operations.
To understand the role assignment condition format, see Azure role assignment condition format and syntax.
[!INCLUDE storage-abac-preview]
Multiple Storage service operations can be associated with a single permission or DataAction. However, each of these operations that are associated with the same permission might support different parameters. Suboperations enable you to differentiate between service operations that require the same permission but support a different set of attributes for conditions. Thus, by using a suboperation, you can specify one condition for access to a subset of operations that support a given parameter. Then, you can use another access condition for operations with the same action that doesn't support that parameter.
For example, the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
action is required for over a dozen different service operations. Some of these operations can accept blob index tags as a request parameter, while others don't. For operations that accept blob index tags as a parameter, you can use blob index tags in a Request condition. However, if such a condition is defined on the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
action, all operations that don't accept tags as a request parameter can't evaluate this condition, and fails the authorization access check.
In this case, the optional suboperation Blob.Write.WithTagHeaders
can be used to apply a condition to only those operations that support blob index tags as a request parameter.
Note
Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see Manage and find Azure Blob data with blob index tags.
This section lists the supported Azure Blob Storage actions and suboperations you can target for conditions. They're summarized in the following table:
[!div class="mx-tableFixed"]
Display name DataAction Suboperation Read operations Find blobs by tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action
n/a List blobs Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Blob.List
Read a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
NOT Blob.List
Read blob index tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
n/a Read content from a blob with tag conditions
(deprecated)Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Blob.Read.WithTagConditions
Write operations Create a blob or snapshot, or append data Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
n/a Delete a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
n/a Delete a version of a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action
n/a Permanently delete a blob overriding soft-delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action
n/a Rename a file or a directory Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
n/a Sets the access tier on a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Blob.Write.Tier
Write blob index tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
n/a Write blob legal hold and immutability policy Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
n/a Write to a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
n/a Write to a blob with blob index tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Blob.Write.WithTagHeaders
Permissions operations Change ownership of a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action
n/a Modify permissions of a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action
n/a HNS operations All data operations for accounts with hierarchical namespace enabled Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
n/a
[!div class="mx-tdCol2BreakAll"]
Property Value Display name List blobs Description List blobs operation. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Suboperation Blob.List
Resource attributes Account name
Is hierarchical namespace enabled
Container nameRequest attributes Blob prefix Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
Example: Read or list blobs in named containers with a path
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Read a blob Description All blob read operations excluding list. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Suboperation NOT Blob.List
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope nameRequest attributes Version ID
SnapshotPrincipal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
Example: Read blobs in named containers with a path
Important
The Read content from a blob with tag conditions
suboperation has been deprecated. Although it is currently supported for compatibility with conditions implemented during the ABAC feature preview, Microsoft recommends using the Read a blob action instead.
When configuring ABAC conditions in the Azure portal, you might see DEPRECATED: Read content from a blob with tag conditions. Microsoft recommends removing the operation and replacing it with the Read a blob
action.
If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to Example: Read blobs with a blob index tag.
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Read blob index tags Description DataAction for reading blob index tags. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Suboperation n/a Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Blob index tags [Values in key]
Blob index tags [Keys]Request attributes Version ID
SnapshotPrincipal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowLearn more Manage and find Azure Blob data with blob index tags
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Find blobs by tags Description DataAction for finding blobs by index tags. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action
Suboperation n/a Resource attributes Account name
Is hierarchical namespace enabledRequest attributes Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC now
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Write to a blob Description DataAction for writing to blobs. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Suboperation n/a Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope nameRequest attributes Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
Example: Read, write, or delete blobs in named containers
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Sets the access tier on a blob Description DataAction for writing to blobs. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Suboperation Blob.Write.Tier
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope nameRequest attributes Version ID
SnapshotPrincipal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.Tier'})
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Write to a blob with blob index tags Description REST operations: Put Blob, Put Block List, Copy Blob and Copy Blob From URL. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Suboperation Blob.Write.WithTagHeaders
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope nameRequest attributes Blob index tags [Values in key]
Blob index tags [Keys]Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
Example: New blobs must include a blob index tagLearn more Manage and find Azure Blob data with blob index tags
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Create a blob or snapshot, or append data Description DataAction for creating blobs. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Suboperation n/a Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope nameRequest attributes Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
Example: Read, write, or delete blobs in named containers
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Write blob index tags Description DataAction for writing blob index tags. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Suboperation n/a Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Blob index tags [Values in key]
Blob index tags [Keys]Request attributes Blob index tags [Values in key]
Blob index tags [Keys]
Version ID
SnapshotPrincipal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
Example: Existing blobs must have blob index tag keysLearn more Manage and find Azure Blob data with blob index tags
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Write Blob legal hold and immutability policy Description DataAction for writing Blob legal hold and immutability policy. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
Suboperation n/a Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob pathRequest attributes Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC now
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Delete a blob Description DataAction for deleting blobs. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Suboperation n/a Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob pathRequest attributes Version ID
SnapshotPrincipal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
Example: Read, write, or delete blobs in named containers
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Delete a version of a blob Description DataAction for deleting a version of a blob. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action
Suboperation n/a Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob pathRequest attributes Version ID Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action'})
Example: Delete old blob versions
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Permanently delete a blob overriding soft-delete Description DataAction for permanently deleting a blob overriding soft-delete. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action
Suboperation n/a Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob pathRequest attributes Version ID
SnapshotPrincipal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC now
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Modify permissions of a blob Description DataAction for modifying permissions of a blob. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action
Suboperation n/a Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob pathRequest attributes Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC now
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Change ownership of a blob Description DataAction for changing ownership of a blob. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action
Suboperation n/a Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob pathRequest attributes Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC now
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Rename a file or a directory Description DataAction for renaming files or directories. DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
Suboperation n/a Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob pathRequest attributes Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC now
[!div class="mx-tdCol2BreakAll"]
Property Value Display name All data operations for accounts with hierarchical namespace enabled Description DataAction for all data operations on storage accounts with hierarchical namespace enabled.
If your role definition includes theMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
action, you should target this action in your condition. Targeting this action ensures the condition will still work as expected if hierarchical namespace is enabled for a storage account.DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Suboperation n/a Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob pathRequest attributes Principal attributes support True Environment attributes Is private link
Private endpoint
Subnet
UTC nowExamples Example: Read, write, or delete blobs in named containers
Example: Read blobs in named containers with a path
Example: Read or list blobs in named containers with a path
Example: Write blobs in named containers with a path
Example: Read only current blob versions
Example: Read current blob versions and any blob snapshots
Example: Read only storage accounts with hierarchical namespace enabledLearn more Azure Data Lake Storage Gen2 hierarchical namespace
This section lists the Azure Blob Storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
Note
Attributes and values listed are considered case-insensitive, unless stated otherwise.
The following table summarizes the available attributes by source:
Attribute Source | Display name | Description |
---|---|---|
Environment | ||
Is private link | Whether access is over a private link | |
Private endpoint | The private endpoint over which an object is accessed | |
Subnet | The subnet over which an object is accessed | |
UTC now | The current date and time in Coordinated Universal Time | |
Request | ||
Blob index tags [Keys] | Index tags on a blob resource (keys); available only for storage accounts where hierarchical namespace is not enabled | |
Blob index tags [Values in key] | Index tags on a blob resource (values in key); available only for storage accounts where hierarchical namespace is not enabled | |
Blob prefix | Allowed prefix of blobs to be listed | |
List blob include | Information that can be included with listing operations, such as metadata, snapshots, or versions | |
Snapshot | The Snapshot identifier for the Blob snapshot | |
Version ID | The version ID of the versioned blob; available only for storage accounts where hierarchical namespace is not enabled | |
Resource | ||
Account name | The storage account name | |
Blob index tags [Keys] | Index tags on a blob resource (keys) | |
Blob index tags [Values in key] | Index tags on a blob resource (values in key) | |
Blob path | Path of a virtual directory, blob, folder or file resource | |
Container name | Name of a storage container or file system | |
Container metadata | Metadata key/value pair associated with a container | |
Encryption scope name | Name of the encryption scope used to encrypt data | |
Is current version | Whether the resource is the current version of the blob | |
Is hierarchical namespace enabled | Whether hierarchical namespace is enabled on the storage account |
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Account name Description Name of a storage account. Attribute Microsoft.Storage/storageAccounts:name
Attribute source Resource Attribute type String Examples @Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount'
Example: Read or write blobs in named storage account with specific encryption scope
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Blob index tags [Keys] Description Index tags on a blob resource.
Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check the key in blob index tags.
Available only for storage accounts where hierarchical namespace is not enabled.Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&
Attribute source Resource
RequestAttribute type StringList Is key case sensitive True Hierarchical namespace support False Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'}
Example: Existing blobs must have blob index tag keysLearn more Manage and find Azure Blob data with blob index tags
Azure Data Lake Storage Gen2 hierarchical namespace
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Blob index tags [Values in key] Description Index tags on a blob resource.
Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check both the key (case-sensitive) and value in blob index tags.
Available only for storage accounts where hierarchical namespace is not enabled.Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags
Attribute source Resource
RequestAttribute type String Is key case sensitive True Hierarchical namespace support False Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:
keyname<$key_case_sensitive$>
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'
Example: Read blobs with a blob index tagLearn more Manage and find Azure Blob data with blob index tags
Azure Data Lake Storage Gen2 hierarchical namespace
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Blob path Description Path of a virtual directory, blob, folder or file resource.
Use when you want to check the blob name or folders in a blob path.Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path
Attribute source Resource Attribute type String Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'
Example: Read blobs in named containers with a path
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path
attribute, the values shouldn't include the container name or a preceding slash (/
) character. Use the path characters without any URL encoding.
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Blob prefix Description Allowed prefix of blobs to be listed.
Path of a virtual directory or folder resource. Use when you want to check the folders in a blob path.Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix
Attribute source Request Attribute type String Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'
Example: Read or list blobs in named containers with a path
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix
attribute, the values shouldn't include the container name or a preceding slash (/
) character. Use the path characters without any URL encoding.
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Container name Description Name of a storage container or file system.
Use when you want to check the container name.Attribute Microsoft.Storage/storageAccounts/blobServices/containers:name
Attribute source Resource Attribute type String Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
Example: Read, write, or delete blobs in named containers
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Container metadata Description Metadata key/value pair associated with a container.
Use when you want to check specific metadata for a container. Currently in preview.Attribute Microsoft.Storage/storageAccounts/blobServices/containers/metadata
Attribute source Resource Attribute type String Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue'
Example: Read blobs in a container with specific metadata
Example: Write or delete blobs in container with specific metadata
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Encryption scope name Description Name of the encryption scope used to encrypt data. Attribute Microsoft.Storage/storageAccounts/encryptionScopes:name
Attribute source Resource Attribute type String Exists support True Examples @Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name] ForAnyOfAnyValues:StringEquals {'validScope1', 'validScope2'}
Example: Read blobs with specific encryption scopesLearn more Create and manage encryption scopes
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Is Current Version Description Whether the resource is the current version of the blob, in contrast to a snapshot or a specific blob version. Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion
Attribute source Resource Attribute type Boolean Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals true
Example: Read only current blob versions
Example: Read current blob versions and a specific blob version
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Is hierarchical namespace enabled Description Whether hierarchical namespace is enabled on the storage account.
Applicable only at resource group scope or higher.Attribute Microsoft.Storage/storageAccounts:isHnsEnabled
Attribute source Resource Attribute type Boolean Examples @Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true
Example: Read only storage accounts with hierarchical namespace enabledLearn more Azure Data Lake Storage Gen2 hierarchical namespace
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Is private link Description Whether access is over a private link.
Use to require access over any private link.Attribute isPrivateLink
Attribute source Environment Attribute type Boolean Applies to For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source:
Copy Blob
Copy Blob From URL
Put Blob From URL
Put Block From URL
Append Block From URL
Put Page From URL
For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operationExamples @Environment[isPrivateLink] BoolEquals true
Example: Require private link access to read blobs with high sensitivityLearn more Use private endpoints for Azure Storage
[!div class="mx-tdCol2BreakAll"]
Property Value Display name List blob include Description Information that can be included with a List Blobs operation, such as metadata, snapshots, or versions.
Use when you want to allow or restrict values for theinclude
parameter when calling the List Blobs operation.
Currently in preview. Available only for storage accounts where hierarchical namespace is not enabled.Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include
Attribute source Request Attribute type String Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAnyValues:StringEqualsIgnoreCase {'metadata', 'snapshots', 'versions'}
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAllValues:StringNotEquals {'metadata'}
Example: Allow list blob operation to include blob metadata, snapshots, or versions
Example: Restrict list blob operation to not include blob metadata
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Private endpoint Description The private endpoint over which an object is accessed.
Use to restrict access over a specific private endpoint.
Available only for storage accounts in subscriptions that have at least one private endpoint configured.Attribute Microsoft.Network/privateEndpoints
Attribute source Environment Attribute type String Applies to For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source:
Copy Blob
Copy Blob From URL
Put Blob From URL
Put Block From URL
Append Block From URL
Put Page From URL
For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operationExamples @Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'
Example: Allow read access to a container only from a specific private endpointLearn more Use private endpoints for Azure Storage
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Snapshot Description The Snapshot identifier for the Blob snapshot.
Available only for storage accounts where hierarchical namespace is not enabled and currently in preview for storage accounts where hierarchical namespace is enabled.Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot
Attribute source Request Attribute type DateTime Exists support True Hierarchical namespace support False Examples Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot]
Example: Read current blob versions and any blob snapshotsLearn more Blob snapshots
Azure Data Lake Storage Gen2 hierarchical namespace
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Subnet Description The subnet over which an object is accessed.
Use to restrict access to a specific subnet.
Available only for storage accounts in subscriptions that have at least one virtual network subnet using service endpoints configured.Attribute Microsoft.Network/virtualNetworks/subnets
Attribute source Environment Attribute type String Applies to For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source:
Copy Blob
Copy Blob From URL
Put Blob From URL
Put Block From URL
Append Block From URL
Put Page From URL
For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operationExamples @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'
Example: Allow access to blobs in specific containers from a specific subnetLearn more Subnets
[!div class="mx-tdCol2BreakAll"]
Property Value Display name UTC now Description The current date and time in Coordinated Universal Time.
Use to control access to objects for a specific date and time period.Attribute UtcNow
Attribute source Environment Attribute type DateTime
(Only operators DateTimeGreaterThan and DateTimeLessThan are supported for the UTC now attribute.)Examples @Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.0Z'
Example: Allow read access to blobs after a specific date and time
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Version ID Description The version ID of the versioned Blob.
Available only for storage accounts where hierarchical namespace is not enabled.Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId
Attribute source Request Attribute type DateTime Exists support True Hierarchical namespace support False Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeEquals '2022-06-01T23:38:32.8883645Z'
Example: Read current blob versions and a specific blob version
Example: Read current blob versions and any blob snapshotsLearn more Azure Data Lake Storage Gen2 hierarchical namespace