title | titleSuffix | description | author | ms.author | ms.service | ms.topic | ms.reviewer | ms.custom | ms.date |
---|---|---|---|---|---|---|---|---|---|
Example Azure role assignment conditions for Blob Storage |
Azure Storage |
Example Azure role assignment conditions for Blob Storage. |
pauljewellmsft |
pauljewell |
azure-blob-storage |
conceptual |
nachakra |
devx-track-azurepowershell |
04/01/2024 |
This article lists some examples of role assignment conditions for controlling access to Azure Blob Storage.
[!INCLUDE storage-abac-preview]
For information about the prerequisites to add or edit role assignment conditions, see Conditions prerequisites.
Use the following table to quickly locate an example that fits your ABAC scenario. The table includes a brief description of the scenario, plus a list of attributes used in the example by source (environment, principal, request and resource).
This section includes examples involving blob index tags.
Important
Although the Read content from a blob with tag conditions
suboperation is currently supported for compatibility with conditions implemented during the ABAC feature preview, it has been deprecated and Microsoft recommends using the Read a blob
action instead.
When configuring ABAC conditions in the Azure portal, you might see DEPRECATED: Read content from a blob with tag conditions. Microsoft recommends removing the operation and replacing it with the Read a blob
action.
If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to Example: Read blobs with a blob index tag.
This condition allows users to read blobs with a blob index tag key of Project and a value of Cascade. Attempts to access blobs without this key-value tag isn't allowed.
For this condition to be effective for a security principal, you must add it to all role assignments for them that include the following actions:
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal visual editor.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob Attribute source Resource Attribute Blob index tags [Values in key] Key {keyName} Operator StringEquals Value {keyValue}
:::image type="content" source="./media/storage-auth-abac-examples/blob-index-tags-read-portal.png" alt-text="Screenshot of condition editor in Azure portal showing read access to blobs with a blob index tag." lightbox="./media/storage-auth-abac-examples/blob-index-tags-read-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks for the blob index tag.
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's how to test this condition.
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
Get-AzStorageBlob -Container <containerName> -Blob <blobName> -Context $bearerCtx
This condition requires that any new blobs must include a blob index tag key of Project and a value of Cascade.
There are two actions that allow you to create new blobs, so you must target both. You must add this condition to any role assignments that include one of the following actions:
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Write to a blob with blob index tags
Write to a blob with blob index tagsAttribute source Request Attribute Blob index tags [Values in key] Key {keyName} Operator StringEquals Value {keyValue}
:::image type="content" source="./media/storage-auth-abac-examples/blob-index-tags-new-blobs-portal.png" alt-text="Screenshot of condition editor in Azure portal showing new blobs must include a blob index tag." lightbox="./media/storage-auth-abac-examples/blob-index-tags-new-blobs-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
)
OR
(
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's how to test this condition.
$localSrcFile = # path to an example file, can be an empty txt
$ungrantedTag = @{'Project'='Baker'}
$grantedTag = @{'Project'='Cascade'}
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# try ungranted tags
$content = Set-AzStorageBlobContent -File $localSrcFile -Container example2 -Blob "Example2.txt" -Tag $ungrantedTag -Context $bearerCtx
# try granted tags
$content = Set-AzStorageBlobContent -File $localSrcFile -Container example2 -Blob "Example2.txt" -Tag $grantedTag -Context $bearerCtx
This condition requires that any existing blobs be tagged with at least one of the allowed blob index tag keys: Project or Program. This condition is useful for adding governance to existing blobs.
There are two actions that allow you to update tags on existing blobs, so you must target both. You must add this condition to any role assignments that include one of the following actions:
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Write to a blob with blob index tags
Write blob index tagsAttribute source Request Attribute Blob index tags [Keys] Operator ForAllOfAnyValues:StringEquals Value {keyName1}
{keyName2}
:::image type="content" source="./media/storage-auth-abac-examples/blob-index-tags-keys-portal.png" alt-text="Screenshot of condition editor in Azure portal showing existing blobs must have blob index tag keys." lightbox="./media/storage-auth-abac-examples/blob-index-tags-keys-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
)
OR
(
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'}
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&`$keys`$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'}))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's how to test this condition.
$localSrcFile = # path to an example file, can be an empty txt
$ungrantedTag = @{'Mode'='Baker'}
$grantedTag = @{'Program'='Alpine';'Project'='Cascade'}
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# try ungranted tags
$content = Set-AzStorageBlobContent -File $localSrcFile -Container example3 -Blob "Example3.txt" -Tag $ungrantedTag -Context $bearerCtx
# try granted tags
$content = Set-AzStorageBlobContent -File $localSrcFile -Container example3 -Blob "Example3.txt" -Tag $grantedTag -Context $bearerCtx
This condition requires that any existing blobs to have a blob index tag key of Project and values of Cascade, Baker, or Skagit. This condition is useful for adding governance to existing blobs.
There are two actions that allow you to update tags on existing blobs, so you must target both. You must add this condition to any role assignments that include one of the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Write to a blob with blob index tags
Write blob index tagsAttribute source Request Attribute Blob index tags [Keys] Operator ForAnyOfAnyValues:StringEquals Value {keyName} Operator And Expression 2 Attribute source Request Attribute Blob index tags [Values in key] Key {keyName} Operator ForAllOfAnyValues:StringEquals Value {keyValue1}
{keyValue2}
{keyValue3}
:::image type="content" source="./media/storage-auth-abac-examples/blob-index-tags-key-values-portal.png" alt-text="Screenshot of condition editor in Azure portal showing existing blobs must have a blob index tag key and values." lightbox="./media/storage-auth-abac-examples/blob-index-tags-key-values-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
)
OR
(
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&] ForAnyOfAnyValues:StringEquals {'Project'}
AND
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] ForAllOfAnyValues:StringEquals {'Cascade', 'Baker', 'Skagit'}
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&`$keys`$&] ForAnyOfAnyValues:StringEquals {'Project'} AND @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] ForAllOfAnyValues:StringEquals {'Cascade', 'Baker', 'Skagit'}))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's how to test this condition.
$localSrcFile = <pathToLocalFile>
$ungrantedTag = @{'Project'='Alpine'}
$grantedTag1 = @{'Project'='Cascade'}
$grantedTag2 = @{'Project'='Baker'}
$grantedTag3 = @{'Project'='Skagit'}
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# try ungranted tags
Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $ungrantedTag -Context $bearerCtx
# try granted tags
Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag1 -Context $bearerCtx
Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag2 -Context $bearerCtx
Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag3 -Context $bearerCtx
This section includes examples showing how to restrict access to objects based on container name or blob path.
This condition allows users to read, write, or delete blobs in storage containers named blobs-example-container. This condition is useful for sharing specific storage containers with other users in a subscription.
There are five actions for read, write, and delete of existing blobs. You must add this condition to any role assignments that include one of the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.
Suboperations aren't used in this condition because the suboperation is needed only when conditions are authored based on tags.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Delete a blob
Read a blob
Write to a blob
Create a blob or snapshot, or append data
All data operations for accounts with hierarchical namespace enabled (if applicable)Attribute source Resource Attribute Container name Operator StringEquals Value {containerName}
:::image type="content" source="./media/storage-auth-abac-examples/containers-read-write-delete-portal.png" alt-text="Screenshot of condition editor in Azure portal showing read, write, or delete blobs in named containers." lightbox="./media/storage-auth-abac-examples/containers-read-write-delete-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Owner
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
)
)
Storage Blob Data Contributor
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's how to test this condition.
$localSrcFile = <pathToLocalFile>
$grantedContainer = "blobs-example-container"
$ungrantedContainer = "ungranted"
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# Ungranted Container actions
$content = Set-AzStorageBlobContent -File $localSrcFile -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx
$content = Get-AzStorageBlobContent -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx
$content = Remove-AzStorageBlob -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx
# Granted Container actions
$content = Set-AzStorageBlobContent -File $localSrcFile -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx
$content = Remove-AzStorageBlob -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx
This condition allows read access to storage containers named blobs-example-container with a blob path of readonly/*. This condition is useful for sharing specific parts of storage containers for read access with other users in the subscription.
You must add this condition to any role assignments that include the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob
All data operations for accounts with hierarchical namespace enabled (if applicable)Attribute source Resource Attribute Container name Operator StringEquals Value {containerName} Expression 2 Operator And Attribute source Resource Attribute Blob path Operator StringLike Value {pathString}
:::image type="content" source="./media/storage-auth-abac-examples/containers-path-read-portal.png" alt-text="Screenshot of condition editor in Azure portal showing read access to blobs in named containers with a path." lightbox="./media/storage-auth-abac-examples/containers-path-read-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Owner
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
AND
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'
)
)
Storage Blob Data Reader, Storage Blob Data Contributor
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
AND
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks for the container name and path.
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's how to test this condition.
$grantedContainer = "blobs-example-container"
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# Try to get ungranted blob
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "Ungranted.txt" -Context $bearerCtx
# Try to get granted blob
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "readonly/Example6.txt" -Context $bearerCtx
This condition allows read access and also list access to storage containers named blobs-example-container with a blob path of readonly/*. Condition #1 applies to read actions excluding list blobs. Condition #2 applies to list blobs. This condition is useful for sharing specific parts of storage containers for read or list access with other users in the subscription.
You must add this condition to any role assignments that include the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
Note
The Azure portal uses prefix='' to list blobs from container's root directory. After the condition is added with the list blobs operation using prefix StringStartsWith 'readonly/', targeted users won't be able to list blobs from container's root directory in the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob
All data operations for accounts with hierarchical namespace enabled (if applicable)Attribute source Resource Attribute Container name Operator StringEquals Value {containerName} Expression 2 Operator And Attribute source Resource Attribute Blob path Operator StringStartsWith Value {pathString}
[!div class="mx-tableFixed"]
Condition #2 Setting Actions List blobs
All data operations for accounts with hierarchical namespace enabled (if applicable)Attribute source Resource Attribute Container name Operator StringEquals Value {containerName} Expression 2 Operator And Attribute source Request Attribute Blob prefix Operator StringStartsWith Value {pathString}
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Owner
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
AND
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringStartsWith 'readonly/'
)
)
AND
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
AND
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'
)
)
Storage Blob Data Reader, Storage Blob Data Contributor
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
AND
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringStartsWith 'readonly/'
)
)
AND
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
AND
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'
)
)
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This condition allows a partner (a Microsoft Entra guest user) to drop files into storage containers named Contosocorp with a path of uploads/contoso/*. This condition is useful for allowing other users to put data in storage containers.
You must add this condition to any role assignments that include the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Write to a blob
Create a blob or snapshot, or append data
All data operations for accounts with hierarchical namespace enabled (if applicable)Attribute source Resource Attribute Container name Operator StringEquals Value {containerName} Expression 2 Operator And Attribute source Resource Attribute Blob path Operator StringLike Value {pathString}
:::image type="content" source="./media/storage-auth-abac-examples/containers-path-write-portal.png" alt-text="Screenshot of condition editor in Azure portal showing write access to blobs in named containers with a path." lightbox="./media/storage-auth-abac-examples/containers-path-write-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Owner
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp'
AND
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'
)
)
Storage Blob Data Contributor
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp'
AND
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's how to test this condition.
$grantedContainer = "contosocorp"
$localSrcFile = <pathToLocalFile>
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# Try to set ungranted blob
$content = Set-AzStorageBlobContent -Container $grantedContainer -Blob "Example7.txt" -Context $bearerCtx -File $localSrcFile
# Try to set granted blob
$content = Set-AzStorageBlobContent -Container $grantedContainer -Blob "uploads/contoso/Example7.txt" -Context $bearerCtx -File $localSrcFile
This condition allows a user to read blobs with a blob index tag key of Program, a value of Alpine, and a blob path of logs*. The blob path of logs* also includes the blob name.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob Attribute source Resource Attribute Blob index tags [Values in key] Key {keyName} Operator StringEquals Value {keyValue}
:::image type="content" source="./media/storage-auth-abac-examples/blob-index-tags-path-read-condition-1-portal.png" alt-text="Screenshot of condition 1 editor in Azure portal showing read access to blobs with a blob index tag and a path." lightbox="./media/storage-auth-abac-examples/blob-index-tags-path-read-condition-1-portal.png":::
[!div class="mx-tableFixed"]
Condition #2 Setting Actions Read a blob Attribute source Resource Attribute Blob path Operator StringLike Value {pathString}
:::image type="content" source="./media/storage-auth-abac-examples/blob-index-tags-path-read-condition-2-portal.png" alt-text="Screenshot of condition 2 editor in Azure portal showing read access to blobs with a blob index tag and a path." lightbox="./media/storage-auth-abac-examples/blob-index-tags-path-read-condition-2-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Program<$key_case_sensitive$>] StringEquals 'Alpine'
)
)
AND
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'logs*'
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks for the blob index tag and path.
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Program<`$key_case_sensitive`$>] StringEquals 'Alpine')) AND ((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'logs*'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Here's how to test this condition.
$grantedContainer = "contosocorp"
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# Try to get ungranted blobs
# Wrong name but right tags
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "AlpineFile.txt" -Context $bearerCtx
# Right name but wrong tags
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logsAlpine.txt" -Context $bearerCtx
# Try to get granted blob
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logs/AlpineFile.txt" -Context $bearerCtx
This condition allows users to read blobs in blob containers with a specific metadata key/value pair.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob Attribute source Resource Attribute Container metadata Operator StringEquals Value {containerName}
:::image type="content" source="./media/storage-auth-abac-examples/container-metadata-read-portal.png" alt-text="Screenshot of condition editor in Azure portal showing read blob in container with specific metadata." lightbox="./media/storage-auth-abac-examples/container-metadata-read-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Reader
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue'
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) `
) `
OR `
( `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
This condition allows users to write or delete blobs in blob containers with a specific metadata key/value pair.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Write to a blob
Delete a blobAttribute source Resource Attribute Container metadata Operator StringEquals Value {containerName}
:::image type="content" source="./media/storage-auth-abac-examples/container-metadata-write-delete-portal.png" alt-text="Screenshot of condition editor in Azure portal showing write and delete blob in container with specific metadata." lightbox="./media/storage-auth-abac-examples/container-metadata-write-delete-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Contributor
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue'
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition using Azure PowerShell.
$condition = "( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) `
) `
OR `
( `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue' `
) `
) `
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
This section includes examples showing how to restrict access to objects based on the blob version or snapshot.
This condition allows a user to only read current blob versions. The user can't read other blob versions.
You must add this condition to any role assignments that include the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob
All data operations for accounts with hierarchical namespace enabled (if applicable)Attribute source Resource Attribute Is Current Version Operator BoolEquals Value True
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Owner
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals true
)
)
Storage Blob Data Reader, Storage Blob Data Contributor
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals true
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks the version.
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This condition allows a user to read current blob versions as well as read blobs with a version ID of 2022-06-01T23:38:32.8883645Z. The user can't read other blob versions. The Version ID attribute is available only for storage accounts where hierarchical namespace isn't enabled.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob Attribute source Request Attribute Version ID Operator DateTimeEquals Value <blobVersionId> Expression 2 Operator Or Attribute source Resource Attribute Is Current Version Operator BoolEquals Value True
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeEquals '2022-06-01T23:38:32.8883645Z'
OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals true
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks version information.
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This condition allows a user to delete versions of a blob that are older than 06/01/2022 to perform cleanup. The Version ID attribute is available only for storage accounts where hierarchical namespace isn't enabled.
You must add this condition to any role assignments that include the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Delete a blob
Delete a version of a blobAttribute source Request Attribute Version ID Operator DateTimeLessThan Value <blobVersionId>
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action'})
)
OR
(
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeLessThan '2022-06-01T00:00:00.0Z'
)
)
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This condition allows a user to read current blob versions and any blob snapshots. The Version ID attribute is available only for storage accounts where hierarchical namespace isn't enabled. The Snapshot attribute is available for storage accounts where hierarchical namespace isn't enabled and currently in preview for storage accounts where hierarchical namespace is enabled.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob
All data operations for accounts with hierarchical namespace enabled (if applicable)Attribute source Request Attribute Snapshot Exists Checked Expression 2 Operator Or Attribute source Resource Attribute Is Current Version Operator BoolEquals Value True
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Owner
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot]
OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals true
)
)
Storage Blob Data Reader, Storage Blob Data Contributor
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot]
OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals true
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks version and snapshot information.
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This condition allows a user to list blobs in a container and include metadata, snapshot, and version information. The List blobs include attribute is available for storage accounts where hierarchical namespace isn't enabled.
Note
List blobs include is a request attribute, and works by allowing or restricting values in the include
parameter when calling the List Blobs operation. The values in the include
parameter are compared against the values specified in the condition using cross product comparison operators. If the comparison evaluates to true, the List Blobs
request is allowed. If the comparison evaluates to false, the List Blobs
request is denied.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions List blobs Attribute source Request Attribute List blobs include Operator ForAllOfAnyValues:StringEqualsIgnoreCase Value {'metadata', 'snapshots', 'versions'}
:::image type="content" source="./media/storage-auth-abac-examples/blob-include-list-allow-portal.png" alt-text="Screenshot of condition editor in Azure portal showing a condition to allow a user to list blobs in a container and include metadata, snapshot, and version information." lightbox="./media/storage-auth-abac-examples/blob-include-list-allow-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Reader
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
)
OR
(
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAnyValues:StringEqualsIgnoreCase {'metadata', 'snapshots', 'versions'}
)
)
In this example, the condition restricts the read action when the suboperation is Blob.List
. This means that a List Blobs operation is further evaluated against the expression that checks the include
values, but all other read actions are allowed.
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This condition restricts a user from listing blobs when metadata is included in the request. The List blobs include attribute is available for storage accounts where hierarchical namespace isn't enabled.
Note
List blobs include is a request attribute, and works by allowing or restricting values in the include
parameter when calling the List Blobs operation. The values in the include
parameter are compared against the values specified in the condition using cross product comparison operators. If the comparison evaluates to true, the List Blobs
request is allowed. If the comparison evaluates to false, the List Blobs
request is denied.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions List blobs Attribute source Request Attribute List blobs include Operator ForAllOfAllValues:StringNotEquals Value {'metadata'}
:::image type="content" source="./media/storage-auth-abac-examples/blob-include-list-metadata-deny-portal.png" alt-text="Screenshot of condition editor in Azure portal showing a condition to restrict a user from listing blobs when metadata is included in the request." lightbox="./media/storage-auth-abac-examples/blob-include-list-metadata-deny-portal.png":::
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Reader
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
)
OR
(
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAllValues:StringNotEquals {'metadata'}
)
)
In this example, the condition restricts the read action when the suboperation is Blob.List
. This means that a List Blobs operation is further evaluated against the expression that checks the include
values, but all other read actions are allowed.
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This section includes examples showing how to restrict access to objects based on whether hierarchical namespace is enabled for a storage account.
This condition allows a user to only read blobs in storage accounts with hierarchical namespace enabled. This condition is applicable only at resource group scope or higher.
You must add this condition to any role assignments that include the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob
All data operations for accounts with hierarchical namespace enabled (if applicable)Attribute source Resource Attribute Is hierarchical namespace enabled Operator BoolEquals Value True
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Owner
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true
)
)
Storage Blob Data Reader, Storage Blob Data Contributor
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks for hierarchical namespace.
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This section includes examples showing how to restrict access to objects with an approved encryption scope.
This condition allows a user to read blobs encrypted with encryption scope validScope1
or validScope2
.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob Attribute source Resource Attribute Encryption scope name Operator ForAnyOfAnyValues:StringEquals Value <scopeName>
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name] ForAnyOfAnyValues:StringEquals {'validScope1', 'validScope2'}
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks encryption scopes.
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This condition allows a user to read or write blobs in a storage account named sampleaccount
and encrypted with encryption scope ScopeCustomKey1
. If blobs aren't encrypted or decrypted with ScopeCustomKey1
, the request returns forbidden.
You must add this condition to any role assignments that include the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
Note
Since encryption scopes for different storage accounts could be different, it's recommended to use the storageAccounts:name
attribute with the encryptionScopes:name
attribute to restrict the specific encryption scope to be allowed.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob
Write to a blob
Create a blob or snapshot, or append dataAttribute source Resource Attribute Account name Operator StringEquals Value <accountName> Expression 2 Operator And Attribute source Resource Attribute Encryption scope name Operator ForAnyOfAnyValues:StringEquals Value <scopeName>
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount'
AND
@Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name] ForAnyOfAnyValues:StringEquals {'ScopeCustomKey1'}
)
)
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This section includes examples showing how to restrict access to objects based on custom security principals.
This condition allows read or write access to blobs if the user has a custom security attribute that matches the blob index tag.
For example, if Brenda has the attribute Project=Baker
, she can only read or write blobs with the Project=Baker
blob index tag. Similarly, Chandra can only read or write blobs with Project=Cascade
.
You must add this condition to any role assignments that include the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
For more information, see Allow read access to blobs based on tags and custom security attributes.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob conditions Attribute source Principal Attribute <attributeset>_<key> Operator StringEquals Option Attribute Attribute source Resource Attribute Blob index tags [Values in key] Key <key>
[!div class="mx-tableFixed"]
Condition #2 Setting Actions Write to a blob with blob index tags
Write to a blob with blob index tagsAttribute source Principal Attribute <attributeset>_<key> Operator StringEquals Option Attribute Attribute source Request Attribute Blob index tags [Values in key] Key <key>
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project] StringEquals @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>]
)
)
AND
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
)
OR
(
@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project] StringEquals @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>]
)
)
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This condition allows read access to blobs if the user has a custom security attribute with any values that matches the blob index tag.
For example, if Chandra has the Project attribute with the values Baker and Cascade, she can only read blobs with the Project=Baker
or Project=Cascade
blob index tag.
You must add this condition to any role assignments that include the following action.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
For more information, see Allow read access to blobs based on tags and custom security attributes.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the Azure portal.
[!div class="mx-tableFixed"]
Condition #1 Setting Actions Read a blob conditions Attribute source Resource Attribute Blob index tags [Values in key] Key <key> Operator ForAnyOfAnyValues:StringEquals Option Attribute Attribute source Principal Attribute <attributeset>_<key>
To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] ForAnyOfAnyValues:StringEquals @Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project]
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression that checks blob index tags and custom security attributes.
[!INCLUDE storage-abac-conditions-include]
Currently no example provided.
This section includes examples showing how to restrict access to objects based on the network environment or the current date and time.
This condition allows read access to blob container container1
only after 1 PM on May 1, 2023 Universal Coordinated Time (UTC).
There are two potential actions for reading existing blobs. To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include any of the following actions.
[!div class="mx-tableFixed"]
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Select Add action, then select only the Read a blob suboperation as shown in the following table.
Action | Suboperation |
---|---|
All read operations | Read a blob |
Don't select the top-level All read operations action or any other suboperations as shown in the following image:
:::image type="content" source="./media/storage-auth-abac-examples/environ-action-select-read-a-blob-portal.png" alt-text="Screenshot of condition editor in Azure portal showing selection of just the read operation." lightbox="./media/storage-auth-abac-examples/environ-action-select-read-a-blob-portal.png":::
Use the values in the following table to build the expression portion of the condition:
Setting Value Attribute source Resource Attribute Container name Operator StringEquals Value container1
Logical operator 'AND' Attribute source Environment Attribute UtcNow Operator DateTimeGreaterThan Value 2023-05-01T13:00:00.000Z
The following image shows the condition after the settings are entered into the Azure portal. You must group expressions to ensure correct evaluation.
:::image type="content" source="./media/storage-auth-abac-examples/environ-utcnow-containers-read-portal.png" alt-text="Screenshot of the condition editor in the Azure portal showing read access allowed after a specific date and time." lightbox="./media/storage-auth-abac-examples/environ-utcnow-containers-read-portal.png":::
To add the condition using the code editor, copy the following condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'container1'
AND
@Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.000Z'
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition for the Storage Blob Data Reader role using Azure PowerShell.
$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Blob Data Reader"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$containerName = "container1"
$dateTime = "2023-05-01T13:00:00.000Z"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
$condition = `
"( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) `
) `
OR `
( `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '$containerName' `
AND `
@Environment[UtcNow] DateTimeGreaterThan '$dateTime' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
This condition allows read, write, add and delete access to blobs in container1
only from subnet default
on virtual network virtualnetwork1
. To use the Subnet attribute in this example, the subnet must have service endpoints enabled for Azure Storage.
There are five potential actions for read, write, add and delete access to existing blobs. To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include any of the following actions.
Action | Notes |
---|---|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |
|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action |
Add if role definition includes this action, such as Storage Blob Data Owner. |
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Select Add action, then select only the top-level actions shown in the following table.
Action | Suboperation |
---|---|
All read operations | n/a |
Write to a blob | n/a |
Create a blob or snapshot, or append data | n/a |
Delete a blob | n/a |
Don't select any individual suboperations as shown in the following image:
:::image type="content" source="./media/storage-auth-abac-examples/environ-private-endpoint-containers-select-read-write-delete-portal.png" alt-text="Screenshot of condition editor in Azure portal showing selection of read, write, add and delete operations." lightbox="./media/storage-auth-abac-examples/environ-private-endpoint-containers-select-read-write-delete-portal.png":::
Use the values in the following table to build the expression portion of the condition:
Setting Value Attribute source Resource Attribute Container name Operator StringEquals Value container1
Logical operator 'AND' Attribute source Environment Attribute Subnet Operator StringEqualsIgnoreCase Value /subscriptions/<your subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default
The following image shows the condition after the settings are entered into the Azure portal. You must group expressions to ensure correct evaluation.
:::image type="content" source="./media/storage-auth-abac-examples/environ-subnet-containers-read-write-delete-portal.png" alt-text="Screenshot of the condition editor in the Azure portal showing read access to specific containers allowed from a specific subnet." lightbox="./media/storage-auth-abac-examples/environ-subnet-containers-read-write-delete-portal.png":::
To add the condition using the code editor, copy the following condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]StringEquals 'container1'
AND
@Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/<your subscription id>/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition for the Storage Blob Data Contributor role using Azure PowerShell.
$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Blob Data Contributor"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$containerName = "container1"
$vnetName = "virtualnetwork1"
$subnetName = "default"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
$condition = `
"( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) `
) `
OR `
( `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '$containerName' `
AND `
@Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/$vnetName/subnets/$subnetName' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
This condition requires requests to read blobs where blob index tag sensitivity has a value of high
to be over a private link (any private link). This means all attempts to read highly sensitive blobs from the public internet won't be allowed. Users can read blobs from the public internet that have sensitivity set to some value other than high
.
A truth table for this ABAC sample condition follows:
Action | Sensitivity | Private link | Access |
---|---|---|---|
Read a blob | high | Yes | Allowed |
Read a blob | high | No | Not Allowed |
Read a blob | NOT high | Yes | Allowed |
Read a blob | NOT high | No | Allowed |
There are two potential actions for reading existing blobs. To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include any of the following actions.
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the visual condition editor in the Azure portal.
Select Add action, then select only the Read a blob suboperation as shown in the following table.
Action | Suboperation |
---|---|
All read operations | Read a blob |
Don't select the top-level All read operations action of any other suboperations as shown in the following image:
:::image type="content" source="./media/storage-auth-abac-examples/environ-action-select-read-a-blob-portal.png" alt-text="Screenshot of condition editor in Azure portal showing selection of just the read operation." lightbox="./media/storage-auth-abac-examples/environ-action-select-read-a-blob-portal.png":::
Use the values in the following table to build the expression portion of the condition:
Group Setting Value Group #1 Attribute source Resource Attribute Blob index tags [Values in key] Key sensitivity
Operator StringEquals Value high
Logical operator 'AND' Attribute source Environment Attribute Is private link Operator BoolEquals Value True
End of Group #1 Logical operator 'OR' Attribute source Resource Attribute Blob index tags [Values in key] Key sensitivity
Operator StringNotEquals Value high
The following image shows the condition after the settings are entered into the Azure portal. You must group expressions to ensure correct evaluation.
:::image type="content" source="./media/storage-auth-abac-examples/environ-private-link-sensitive-read-portal.png" alt-text="Screenshot of the condition editor in the Azure portal showing read access requiring any private link for sensitive data." lightbox="./media/storage-auth-abac-examples/environ-private-link-sensitive-read-portal.png":::
To add the condition using the code editor, copy the following condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<$key_case_sensitive$>] StringEquals 'high'
AND
@Environment[isPrivateLink] BoolEquals true
)
OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<$key_case_sensitive$>] StringNotEquals 'high'
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression.
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition for the Storage Blob Data Reader role using Azure PowerShell.
$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Blob Data Reader"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
$condition = `
"( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) `
) `
OR `
( `
( `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<`$key_case_sensitive`$>] StringEquals 'high' `
AND `
@Environment[isPrivateLink] BoolEquals true `
) `
OR `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<`$key_case_sensitive`$>] StringNotEquals 'high' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
This condition requires that all read, write, add and delete operations for blobs in a storage container named container1
be made through a private endpoint named privateendpoint1
. For all other containers not named container1
, access doesn't need to be through the private endpoint.
There are five potential actions for read, write and delete of existing blobs. To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include any of the following actions.
Action | Notes |
---|---|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |
|
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action |
Add if role definition includes this action, such as Storage Blob Data Owner. Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future. |
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the visual condition editor in the Azure portal.
Select Add action, then select only the top-level actions shown in the following table.
Action | Suboperation |
---|---|
All read operations | n/a |
Write to a blob | n/a |
Create a blob or snapshot, or append data | n/a |
Delete a blob | n/a |
Don't select any individual suboperations as shown in the following image:
:::image type="content" source="./media/storage-auth-abac-examples/environ-private-endpoint-containers-select-read-write-delete-portal.png" alt-text="Screenshot of condition editor in Azure portal showing selection of read, write, add and delete operations." lightbox="./media/storage-auth-abac-examples/environ-private-endpoint-containers-select-read-write-delete-portal.png":::
Use the values in the following table to build the expression portion of the condition:
Group Setting Value Group #1 Attribute source Resource Attribute Container name Operator StringEquals Value container1
Logical operator 'AND' Attribute source Environment Attribute Private endpoint Operator StringEqualsIgnoreCase Value /subscriptions/<your subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/privateEndpoints/privateendpoint1
End of Group #1 Logical operator 'OR' Attribute source Resource Attribute Container name Operator StringNotEquals Value container1
The following image shows the condition after the settings are entered into the Azure portal. You must group expressions to ensure correct evaluation.
:::image type="content" source="./media/storage-auth-abac-examples/environ-private-endpoint-containers-read-write-delete-portal.png" alt-text="Screenshot of condition editor in Azure portal showing read, write, or delete blobs in named containers with private endpoint environment attribute." lightbox="./media/storage-auth-abac-examples/environ-private-endpoint-containers-read-write-delete-portal.png":::
To add the condition using the code editor, choose one of the following condition code samples, depending on the role associated with the assignment. After entering your code, switch back to the visual editor to validate it.
Storage Blob Data Owner:
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
)
OR
(
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'container1'
AND
@Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/<your subscription id>/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'
)
OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringNotEquals 'container1'
)
)
Storage Blob Data Contributor:
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
)
OR
(
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'container1'
AND
@Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/<your subscription id>/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'
)
OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringNotEquals 'container1'
)
)
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition for the Storage Blob Data Contributor role using Azure PowerShell.
$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Blob Data Contributor"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$containerName = "container1"
$privateEndpointName = "privateendpoint1"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
$condition = `
"( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) `
AND `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) `
) `
OR `
( `
( `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '$containerName' `
AND `
@Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Network/privateEndpoints/$privateEndpointName' `
) `
OR `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringNotEquals '$containerName' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru
Example: Allow read access to highly sensitive blob data only from a specific private endpoint and by users tagged for access
This condition requires that blobs with index tag sensitivity set to high
can be read only by users that have a matching value for their sensitivity security attribute. Additionally, they must be accessed over a private endpoint named privateendpoint1
. Blobs that have a different value for the sensitivity tag can be accessed over other endpoints or the Internet.
There are two potential actions for reading existing blobs. To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include any of the following actions.
Action Notes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Add if role definition includes this action, such as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the Visual editor tab and the Code editor tabs to view the examples for your preferred portal editor.
Here are the settings to add this condition using the visual condition editor in the Azure portal.
Select Add action, then select only the Read a blob suboperation as shown in the following table.
Action | Suboperation |
---|---|
All read operations | Read a blob |
Don't select the top-level action as shown in the following image:
:::image type="content" source="./media/storage-auth-abac-examples/environ-action-select-read-a-blob-portal.png" alt-text="Screenshot of condition editor in Azure portal showing selection of read a blob operation." lightbox="./media/storage-auth-abac-examples/environ-action-select-read-a-blob-portal.png":::
Use the values in the following table to build the expression portion of the condition:
Group | Setting | Value |
---|---|---|
Group #1 | ||
Attribute source | Principal | |
Attribute | <attributeset>_<key> | |
Operator | StringEquals | |
Option | Attribute | |
Logical operator | 'AND' | |
Attribute source | Resource | |
Attribute | Blob index tags [Values in key] | |
Key | <key> | |
Logical operator | 'AND' | |
Attribute source | Environment | |
Attribute | Private endpoint | |
Operator | StringEqualsIgnoreCase | |
Value | /subscriptions/<your subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/privateEndpoints/privateendpoint1 |
|
End of Group #1 | ||
Logical operator | 'OR' | |
Attribute source | Resource | |
Attribute | Blob index tags [Values in key] | |
Key | sensitivity |
|
Operator | StringNotEquals | |
Value | high |
The following image shows the condition after the settings are entered into the Azure portal. You must group expressions to ensure correct evaluation.
:::image type="content" source="./media/storage-auth-abac-examples/environ-specific-private-link-sensitive-read-tagged-users-portal.png" alt-text="Screenshot of condition editor in Azure portal showing read access allowed over a specific private endpoint for tagged users." lightbox="./media/storage-auth-abac-examples/environ-specific-private-link-sensitive-read-tagged-users-portal.png":::
To add the condition using the code editor, copy the following condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(
(
@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:sensitivity] StringEqualsIgnoreCase @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<$key_case_sensitive$>]
AND
@Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/<your subscription id>/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'
)
OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<$key_case_sensitive$>] StringNotEquals 'high'
)
)
In this example, the condition restricts the read action except when the suboperation is Blob.List
. This means that a List Blobs operation is allowed, but all other read actions are further evaluated against the expression.
[!INCLUDE storage-abac-conditions-include]
Here's how to add this condition for the Storage Blob Data Reader role using Azure PowerShell.
$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Blob Data Reader"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$privateEndpointName = "privateendpoint1"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
$condition = `
"( `
( `
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) `
) `
OR `
( `
( `
@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:sensitivity] StringEqualsIgnoreCase @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<`$key_case_sensitive`$>] `
AND `
@Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Network/privateEndpoints/$privateEndpointName' `
) `
OR `
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<`$key_case_sensitive`$>] StringNotEquals 'high' `
) `
)"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru