Actions and attributes for Azure role assignment conditions for Azure Blob Storage - Azure Storage (original) (raw)
This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Blob service operations that a specific permission or DataAction affects, see Permissions for Blob service operations.
To understand the role assignment condition format, see Azure role assignment condition format and syntax.
Important
Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request, resource, environment, and principal attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Suboperations
Multiple Storage service operations can be associated with a single permission or DataAction. However, each of these operations that are associated with the same permission might support different parameters. Suboperations enable you to differentiate between service operations that require the same permission but support a different set of attributes for conditions. Thus, by using a suboperation, you can specify one condition for access to a subset of operations that support a given parameter. Then, you can use another access condition for operations with the same action that doesn't support that parameter.
For example, the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action is required for over a dozen different service operations. Some of these operations can accept blob index tags as a request parameter, while others don't. For operations that accept blob index tags as a parameter, you can use blob index tags in a Request condition. However, if such a condition is defined on the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action, all operations that don't accept tags as a request parameter can't evaluate this condition, and fails the authorization access check.
In this case, the optional suboperation Blob.Write.WithTagHeaders can be used to apply a condition to only those operations that support blob index tags as a request parameter.
Note
Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see Manage and find Azure Blob data with blob index tags.
Azure Blob Storage actions and suboperations
This section lists the supported Azure Blob Storage actions and suboperations you can target for conditions. They're summarized in the following table:
| Display name | DataAction | Suboperation |
|---|---|---|
| Read operations | ||
| Find blobs by tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action | n/a |
| List blobs | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Blob.List |
| Read a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | NOT Blob.List |
| Read blob index tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read | n/a |
| Read content from a blob with tag conditions (deprecated) | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Blob.Read.WithTagConditions |
| Write operations | ||
| Create a blob or snapshot, or append data | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | n/a |
| Delete a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | n/a |
| Delete a version of a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action | n/a |
| Permanently delete a blob overriding soft-delete | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action | n/a |
| Rename a file or a directory | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | n/a |
| Sets the access tier on a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Blob.Write.Tier |
| Write blob index tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | n/a |
| Write blob legal hold and immutability policy | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action | n/a |
| Write to a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | n/a |
| Write to a blob with blob index tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Blob.Write.WithTagHeaders |
| Permissions operations | ||
| Change ownership of a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action | n/a |
| Modify permissions of a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action | n/a |
| HNS operations | ||
| All data operations for accounts with hierarchical namespace enabled | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action | n/a |
List blobs
| Property | Value |
|---|---|
| Display name | List blobs |
| Description | List blobs operation. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
| Suboperation | Blob.List |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer name |
| Request attributes | Blob prefix |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})Example: Read or list blobs in named containers with a path |
Read a blob
| Property | Value |
|---|---|
| Display name | Read a blob |
| Description | All blob read operations excluding list. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
| Suboperation | NOT Blob.List |
| Resource attributes | Account nameIs Current VersionIs hierarchical namespace enabledContainer nameBlob pathEncryption scope name |
| Request attributes | Version IDSnapshot |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})Example: Read blobs in named containers with a path |
Read content from a blob with tag conditions
Important
The Read content from a blob with tag conditions suboperation has been deprecated. Although it is currently supported for compatibility with conditions implemented during the ABAC feature preview, Microsoft recommends using the Read a blob action instead.
When configuring ABAC conditions in the Azure portal, you might see DEPRECATED: Read content from a blob with tag conditions. Microsoft recommends removing the operation and replacing it with the Read a blob action.
If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to Example: Read blobs with a blob index tag.
Read blob index tags
Find blobs by tags
| Property | Value |
|---|---|
| Display name | Find blobs by tags |
| Description | DataAction for finding blobs by index tags. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action |
| Suboperation | n/a |
| Resource attributes | Account nameIs hierarchical namespace enabled |
| Request attributes | |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
Write to a blob
| Property | Value |
|---|---|
| Display name | Write to a blob |
| Description | DataAction for writing to blobs. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
| Suboperation | n/a |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer nameBlob pathEncryption scope name |
| Request attributes | |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})Example: Read, write, or delete blobs in named containers |
Sets the access tier on a blob
| Property | Value |
|---|---|
| Display name | Sets the access tier on a blob |
| Description | DataAction for writing to blobs. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
| Suboperation | Blob.Write.Tier |
| Resource attributes | Account nameIs Current VersionIs hierarchical namespace enabledContainer nameBlob pathEncryption scope name |
| Request attributes | Version IDSnapshot |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.Tier'}) |
Write to a blob with blob index tags
| Property | Value |
|---|---|
| Display name | Write to a blob with blob index tags |
| Description | REST operations: Put Blob, Put Block List, Copy Blob and Copy Blob From URL. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
| Suboperation | Blob.Write.WithTagHeaders |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer nameBlob pathEncryption scope name |
| Request attributes | Blob index tags [Values in key]Blob index tags [Keys] |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})Example: New blobs must include a blob index tag |
| Learn more | Manage and find Azure Blob data with blob index tags |
Create a blob or snapshot, or append data
| Property | Value |
|---|---|
| Display name | Create a blob or snapshot, or append data |
| Description | DataAction for creating blobs. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
| Suboperation | n/a |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer nameBlob pathEncryption scope name |
| Request attributes | |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})Example: Read, write, or delete blobs in named containers |
Write blob index tags
Write Blob legal hold and immutability policy
| Property | Value |
|---|---|
| Display name | Write Blob legal hold and immutability policy |
| Description | DataAction for writing Blob legal hold and immutability policy. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action |
| Suboperation | n/a |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer nameBlob path |
| Request attributes | |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
Delete a blob
| Property | Value |
|---|---|
| Display name | Delete a blob |
| Description | DataAction for deleting blobs. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |
| Suboperation | n/a |
| Resource attributes | Account nameIs Current VersionIs hierarchical namespace enabledContainer nameBlob path |
| Request attributes | Version IDSnapshot |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})Example: Read, write, or delete blobs in named containers |
Delete a version of a blob
| Property | Value |
|---|---|
| Display name | Delete a version of a blob |
| Description | DataAction for deleting a version of a blob. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action |
| Suboperation | n/a |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer nameBlob path |
| Request attributes | Version ID |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action'})Example: Delete old blob versions |
Permanently delete a blob overriding soft-delete
| Property | Value |
|---|---|
| Display name | Permanently delete a blob overriding soft-delete |
| Description | DataAction for permanently deleting a blob overriding soft-delete. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action |
| Suboperation | n/a |
| Resource attributes | Account nameIs Current VersionIs hierarchical namespace enabledContainer nameBlob path |
| Request attributes | Version IDSnapshot |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
Modify permissions of a blob
| Property | Value |
|---|---|
| Display name | Modify permissions of a blob |
| Description | DataAction for modifying permissions of a blob. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action |
| Suboperation | n/a |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer nameBlob path |
| Request attributes | |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
Change ownership of a blob
| Property | Value |
|---|---|
| Display name | Change ownership of a blob |
| Description | DataAction for changing ownership of a blob. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action |
| Suboperation | n/a |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer nameBlob path |
| Request attributes | |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
Rename a file or a directory
| Property | Value |
|---|---|
| Display name | Rename a file or a directory |
| Description | DataAction for renaming files or directories. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action |
| Suboperation | n/a |
| Resource attributes | Account nameIs hierarchical namespace enabledContainer nameBlob path |
| Request attributes | |
| Principal attributes support | True |
| Environment attributes | Is private linkPrivate endpointSubnetUTC now |
All data operations for accounts with hierarchical namespace enabled
Azure Blob Storage attributes
This section lists the Azure Blob Storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
Note
Attributes and values listed are considered case-insensitive, unless stated otherwise.
The following table summarizes the available attributes by source:
| Attribute Source | Display name | Description |
|---|---|---|
| Environment | ||
| Is private link | Whether access is over a private link | |
| Private endpoint | The private endpoint over which an object is accessed | |
| Subnet | The subnet over which an object is accessed | |
| UTC now | The current date and time in Coordinated Universal Time | |
| Request | ||
| Blob index tags [Keys] | Index tags on a blob resource (keys); available only for storage accounts where hierarchical namespace is not enabled | |
| Blob index tags [Values in key] | Index tags on a blob resource (values in key); available only for storage accounts where hierarchical namespace is not enabled | |
| Blob prefix | Allowed prefix of blobs to be listed | |
| List blob include | Information that can be included with listing operations, such as metadata, snapshots, or versions | |
| Snapshot | The Snapshot identifier for the Blob snapshot | |
| Version ID | The version ID of the versioned blob; available only for storage accounts where hierarchical namespace is not enabled | |
| Resource | ||
| Account name | The storage account name | |
| Blob index tags [Keys] | Index tags on a blob resource (keys) | |
| Blob index tags [Values in key] | Index tags on a blob resource (values in key) | |
| Blob path | Path of a virtual directory, blob, folder or file resource | |
| Container name | Name of a storage container or file system | |
| Container metadata | Metadata key/value pair associated with a container | |
| Encryption scope name | Name of the encryption scope used to encrypt data | |
| Is current version | Whether the resource is the current version of the blob | |
| Is hierarchical namespace enabled | Whether hierarchical namespace is enabled on the storage account |
Account name
Blob index tags [Keys]
Blob index tags [Values in key]
| Property | Value |
|---|---|
| Display name | Blob index tags [Values in key] |
| Description | Index tags on a blob resource.Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check both the key (case-sensitive) and value in blob index tags.Available only for storage accounts where hierarchical namespace is not enabled. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags |
| Attribute source | ResourceRequest |
| Attribute type | String |
| Is key case sensitive | True |
| Hierarchical namespace support | False |
| Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:keyname<$key_case_sensitive$>@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'Example: Read blobs with a blob index tag |
| Learn more | Manage and find Azure Blob data with blob index tagsAzure Data Lake Storage hierarchical namespace |
Blob path
| Property | Value |
|---|---|
| Display name | Blob path |
| Description | Path of a virtual directory, blob, folder or file resource.Use when you want to check the blob name or folders in a blob path. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path |
| Attribute source | Resource |
| Attribute type | String |
| Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'Example: Read blobs in named containers with a path |
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.
Blob prefix
| Property | Value |
|---|---|
| Display name | Blob prefix |
| Description | Allowed prefix of blobs to be listed.Path of a virtual directory or folder resource. Use when you want to check the folders in a blob path. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix |
| Attribute source | Request |
| Attribute type | String |
| Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'Example: Read or list blobs in named containers with a path |
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.
Container name
| Property | Value |
|---|---|
| Display name | Container name |
| Description | Name of a storage container or file system.Use when you want to check the container name. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers:name |
| Attribute source | Resource |
| Attribute type | String |
| Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'Example: Read, write, or delete blobs in named containers |
Container metadata
Encryption scope name
Is Current Version
Is hierarchical namespace enabled
Is private link
List blob include
| Property | Value |
|---|---|
| Display name | List blob include |
| Description | Information that can be included with a List Blobs operation, such as metadata, snapshots, or versions.Use when you want to allow or restrict values for the include parameter when calling the List Blobs operation.Currently in preview. Available only for storage accounts where hierarchical namespace is not enabled. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include |
| Attribute source | Request |
| Attribute type | String |
| Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAnyValues:StringEqualsIgnoreCase {'metadata', 'snapshots', 'versions'}@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAllValues:StringNotEquals {'metadata'}Example: Allow list blob operation to include blob metadata, snapshots, or versionsExample: Restrict list blob operation to not include blob metadata |
Private endpoint
Snapshot
Subnet
| Property | Value |
|---|---|
| Display name | Subnet |
| Description | The subnet over which an object is accessed.Use to restrict access to a specific subnet.Available only for storage accounts in subscriptions that have at least one virtual network subnet using service endpoints configured. |
| Attribute | Microsoft.Network/virtualNetworks/subnets |
| Attribute source | Environment |
| Attribute type | String |
| Applies to | For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source:Copy BlobCopy Blob From URLPut Blob From URLPut Block From URLAppend Block From URLPut Page From URLFor all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation |
| Examples | @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'Example: Allow access to blobs in specific containers from a specific subnet |
| Learn more | Subnets |
UTC now
| Property | Value |
|---|---|
| Display name | UTC now |
| Description | The current date and time in Coordinated Universal Time.Use to control access to objects for a specific date and time period. |
| Attribute | UtcNow |
| Attribute source | Environment |
| Attribute type | DateTime (Only operators DateTimeGreaterThan and DateTimeLessThan are supported for the UTC now attribute.) |
| Examples | @Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.0Z'Example: Allow read access to blobs after a specific date and time |