Actions and attributes for Azure role assignment conditions for Azure Blob Storage
Article
04/01/2024
This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Blob service operations that a specific permission or DataAction affects, see Permissions for Blob service operations.
Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request, resource, environment, and principal attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.
Multiple Storage service operations can be associated with a single permission or DataAction. However, each of these operations that are associated with the same permission might support different parameters. Suboperations enable you to differentiate between service operations that require the same permission but support a different set of attributes for conditions. Thus, by using a suboperation, you can specify one condition for access to a subset of operations that support a given parameter. Then, you can use another access condition for operations with the same action that doesn't support that parameter.
For example, the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action is required for over a dozen different service operations. Some of these operations can accept blob index tags as a request parameter, while others don't. For operations that accept blob index tags as a parameter, you can use blob index tags in a Request condition. However, if such a condition is defined on the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action, all operations that don't accept tags as a request parameter can't evaluate this condition, and fails the authorization access check.
In this case, the optional suboperation Blob.Write.WithTagHeaders can be used to apply a condition to only those operations that support blob index tags as a request parameter.
Note
Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see Manage and find Azure Blob data with blob index tags.
Azure Blob Storage actions and suboperations
This section lists the supported Azure Blob Storage actions and suboperations you can target for conditions. They're summarized in the following table:
The Read content from a blob with tag conditions suboperation has been deprecated. Although it is currently supported for compatibility with conditions implemented during the ABAC feature preview, Microsoft recommends using the Read a blob action instead.
When configuring ABAC conditions in the Azure portal, you might see DEPRECATED: Read content from a blob with tag conditions. Microsoft recommends removing the operation and replacing it with the Read a blob action.
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) Example: New blobs must include a blob index tag
All data operations for accounts with hierarchical namespace enabled
Property
Value
Display name
All data operations for accounts with hierarchical namespace enabled
Description
DataAction for all data operations on storage accounts with hierarchical namespace enabled. If your role definition includes the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action action, you should target this action in your condition. Targeting this action ensures the condition will still work as expected if hierarchical namespace is enabled for a storage account.
This section lists the Azure Blob Storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
Note
Attributes and values listed are considered case-insensitive, unless stated otherwise.
The following table summarizes the available attributes by source:
Index tags on a blob resource. Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check the key in blob index tags. Available only for storage accounts where hierarchical namespace is not enabled.
Index tags on a blob resource. Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check both the key (case-sensitive) and value in blob index tags. Available only for storage accounts where hierarchical namespace is not enabled.
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:keyname<$key_case_sensitive$> @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade' Example: Read blobs with a blob index tag
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.
Blob prefix
Property
Value
Display name
Blob prefix
Description
Allowed prefix of blobs to be listed. Path of a virtual directory or folder resource. Use when you want to check the folders in a blob path.
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.
Container name
Property
Value
Display name
Container name
Description
Name of a storage container or file system. Use when you want to check the container name.
Information that can be included with a List Blobs operation, such as metadata, snapshots, or versions. Use when you want to allow or restrict values for the include parameter when calling the List Blobs operation. Currently in preview. Available only for storage accounts where hierarchical namespace is not enabled.
The private endpoint over which an object is accessed. Use to restrict access over a specific private endpoint. Available only for storage accounts in subscriptions that have at least one private endpoint configured.
The Snapshot identifier for the Blob snapshot. Available only for storage accounts where hierarchical namespace is not enabled and currently in preview for storage accounts where hierarchical namespace is enabled.
The subnet over which an object is accessed. Use to restrict access to a specific subnet. Available only for storage accounts in subscriptions that have at least one virtual network subnet using service endpoints configured.
For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation
Examples
@Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default' Example: Allow access to blobs in specific containers from a specific subnet
Azure HPC is a purpose-built cloud capability for HPC & AI workload, using leading-edge processors and HPC-class InfiniBand interconnect, to deliver the best application performance, scalability, and value. Azure HPC enables users to unlock innovation, productivity, and business agility, through a highly available range of HPC & AI technologies that can be dynamically allocated as your business and technical needs change. This learning path is a series of modules that help you get started on Azure HPC - you