Actions and attributes for Azure role assignment conditions for Azure Blob Storage
This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Blob service operations that a specific permission or DataAction affects, see Permissions for Blob service operations.
To understand the role assignment condition format, see Azure role assignment condition format and syntax.
Important
Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request
, resource
, environment
, and principal
attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Multiple Storage service operations can be associated with a single permission or DataAction. However, each of these operations that are associated with the same permission might support different parameters. Suboperations enable you to differentiate between service operations that require the same permission but support a different set of attributes for conditions. Thus, by using a suboperation, you can specify one condition for access to a subset of operations that support a given parameter. Then, you can use another access condition for operations with the same action that doesn't support that parameter.
For example, the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
action is required for over a dozen different service operations. Some of these operations can accept blob index tags as a request parameter, while others don't. For operations that accept blob index tags as a parameter, you can use blob index tags in a Request condition. However, if such a condition is defined on the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
action, all operations that don't accept tags as a request parameter can't evaluate this condition, and fails the authorization access check.
In this case, the optional suboperation Blob.Write.WithTagHeaders
can be used to apply a condition to only those operations that support blob index tags as a request parameter.
Note
Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see Manage and find Azure Blob data with blob index tags.
This section lists the supported Azure Blob Storage actions and suboperations you can target for conditions. They're summarized in the following table:
Display name | DataAction | Suboperation |
---|---|---|
Read operations | ||
Find blobs by tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action |
n/a |
List blobs | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
Blob.List |
Read a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
NOT Blob.List |
Read blob index tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read |
n/a |
Read content from a blob with tag conditions (deprecated) |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
Blob.Read.WithTagConditions |
Write operations | ||
Create a blob or snapshot, or append data | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
n/a |
Delete a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |
n/a |
Delete a version of a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action |
n/a |
Permanently delete a blob overriding soft-delete | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action |
n/a |
Rename a file or a directory | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action |
n/a |
Sets the access tier on a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
Blob.Write.Tier |
Write blob index tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write |
n/a |
Write blob legal hold and immutability policy | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action |
n/a |
Write to a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
n/a |
Write to a blob with blob index tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
Blob.Write.WithTagHeaders |
Permissions operations | ||
Change ownership of a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action |
n/a |
Modify permissions of a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action |
n/a |
HNS operations | ||
All data operations for accounts with hierarchical namespace enabled | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action |
n/a |
Property | Value |
---|---|
Display name | List blobs |
Description | List blobs operation. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
Suboperation | Blob.List |
Resource attributes | Account name Is hierarchical namespace enabled Container name |
Request attributes | Blob prefix |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'}) Example: Read or list blobs in named containers with a path |
Property | Value |
---|---|
Display name | Read a blob |
Description | All blob read operations excluding list. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
Suboperation | NOT Blob.List |
Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path Encryption scope name |
Request attributes | Version ID Snapshot |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) Example: Read blobs in named containers with a path |
Important
The Read content from a blob with tag conditions
suboperation has been deprecated. Although it is currently supported for compatibility with conditions implemented during the ABAC feature preview, Microsoft recommends using the Read a blob action instead.
When configuring ABAC conditions in the Azure portal, you might see DEPRECATED: Read content from a blob with tag conditions. Microsoft recommends removing the operation and replacing it with the Read a blob
action.
If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to Example: Read blobs with a blob index tag.
Property | Value |
---|---|
Display name | Read blob index tags |
Description | DataAction for reading blob index tags. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read |
Suboperation | n/a |
Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path Blob index tags [Values in key] Blob index tags [Keys] |
Request attributes | Version ID Snapshot |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Learn more | Manage and find Azure Blob data with blob index tags |
Property | Value |
---|---|
Display name | Find blobs by tags |
Description | DataAction for finding blobs by index tags. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action |
Suboperation | n/a |
Resource attributes | Account name Is hierarchical namespace enabled |
Request attributes | |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Property | Value |
---|---|
Display name | Write to a blob |
Description | DataAction for writing to blobs. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
Suboperation | n/a |
Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path Encryption scope name |
Request attributes | |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) Example: Read, write, or delete blobs in named containers |
Property | Value |
---|---|
Display name | Sets the access tier on a blob |
Description | DataAction for writing to blobs. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
Suboperation | Blob.Write.Tier |
Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path Encryption scope name |
Request attributes | Version ID Snapshot |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.Tier'}) |
Property | Value |
---|---|
Display name | Write to a blob with blob index tags |
Description | REST operations: Put Blob, Put Block List, Copy Blob and Copy Blob From URL. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
Suboperation | Blob.Write.WithTagHeaders |
Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path Encryption scope name |
Request attributes | Blob index tags [Values in key] Blob index tags [Keys] |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) Example: New blobs must include a blob index tag |
Learn more | Manage and find Azure Blob data with blob index tags |
Property | Value |
---|---|
Display name | Create a blob or snapshot, or append data |
Description | DataAction for creating blobs. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
Suboperation | n/a |
Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path Encryption scope name |
Request attributes | |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) Example: Read, write, or delete blobs in named containers |
Property | Value |
---|---|
Display name | Write blob index tags |
Description | DataAction for writing blob index tags. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write |
Suboperation | n/a |
Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path Blob index tags [Values in key] Blob index tags [Keys] |
Request attributes | Blob index tags [Values in key] Blob index tags [Keys] Version ID Snapshot |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'}) Example: Existing blobs must have blob index tag keys |
Learn more | Manage and find Azure Blob data with blob index tags |
Property | Value |
---|---|
Display name | Write Blob legal hold and immutability policy |
Description | DataAction for writing Blob legal hold and immutability policy. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action |
Suboperation | n/a |
Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
Request attributes | |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Property | Value |
---|---|
Display name | Delete a blob |
Description | DataAction for deleting blobs. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |
Suboperation | n/a |
Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path |
Request attributes | Version ID Snapshot |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) Example: Read, write, or delete blobs in named containers |
Property | Value |
---|---|
Display name | Delete a version of a blob |
Description | DataAction for deleting a version of a blob. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action |
Suboperation | n/a |
Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
Request attributes | Version ID |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action'}) Example: Delete old blob versions |
Property | Value |
---|---|
Display name | Permanently delete a blob overriding soft-delete |
Description | DataAction for permanently deleting a blob overriding soft-delete. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action |
Suboperation | n/a |
Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path |
Request attributes | Version ID Snapshot |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Property | Value |
---|---|
Display name | Modify permissions of a blob |
Description | DataAction for modifying permissions of a blob. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action |
Suboperation | n/a |
Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
Request attributes | |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Property | Value |
---|---|
Display name | Change ownership of a blob |
Description | DataAction for changing ownership of a blob. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action |
Suboperation | n/a |
Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
Request attributes | |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Property | Value |
---|---|
Display name | Rename a file or a directory |
Description | DataAction for renaming files or directories. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action |
Suboperation | n/a |
Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
Request attributes | |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Property | Value |
---|---|
Display name | All data operations for accounts with hierarchical namespace enabled |
Description | DataAction for all data operations on storage accounts with hierarchical namespace enabled. If your role definition includes the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action action, you should target this action in your condition. Targeting this action ensures the condition will still work as expected if hierarchical namespace is enabled for a storage account. |
DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action |
Suboperation | n/a |
Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path |
Request attributes | |
Principal attributes support | True |
Environment attributes | Is private link Private endpoint Subnet UTC now |
Examples | Example: Read, write, or delete blobs in named containers Example: Read blobs in named containers with a path Example: Read or list blobs in named containers with a path Example: Write blobs in named containers with a path Example: Read only current blob versions Example: Read current blob versions and any blob snapshots Example: Read only storage accounts with hierarchical namespace enabled |
Learn more | Azure Data Lake Storage hierarchical namespace |
This section lists the Azure Blob Storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
Note
Attributes and values listed are considered case-insensitive, unless stated otherwise.
The following table summarizes the available attributes by source:
Attribute Source | Display name | Description |
---|---|---|
Environment | ||
Is private link | Whether access is over a private link | |
Private endpoint | The private endpoint over which an object is accessed | |
Subnet | The subnet over which an object is accessed | |
UTC now | The current date and time in Coordinated Universal Time | |
Request | ||
Blob index tags [Keys] | Index tags on a blob resource (keys); available only for storage accounts where hierarchical namespace is not enabled | |
Blob index tags [Values in key] | Index tags on a blob resource (values in key); available only for storage accounts where hierarchical namespace is not enabled | |
Blob prefix | Allowed prefix of blobs to be listed | |
List blob include | Information that can be included with listing operations, such as metadata, snapshots, or versions | |
Snapshot | The Snapshot identifier for the Blob snapshot | |
Version ID | The version ID of the versioned blob; available only for storage accounts where hierarchical namespace is not enabled | |
Resource | ||
Account name | The storage account name | |
Blob index tags [Keys] | Index tags on a blob resource (keys) | |
Blob index tags [Values in key] | Index tags on a blob resource (values in key) | |
Blob path | Path of a virtual directory, blob, folder or file resource | |
Container name | Name of a storage container or file system | |
Container metadata | Metadata key/value pair associated with a container | |
Encryption scope name | Name of the encryption scope used to encrypt data | |
Is current version | Whether the resource is the current version of the blob | |
Is hierarchical namespace enabled | Whether hierarchical namespace is enabled on the storage account |
Property | Value |
---|---|
Display name | Account name |
Description | Name of a storage account. |
Attribute | Microsoft.Storage/storageAccounts:name |
Attribute source | Resource |
Attribute type | String |
Examples | @Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount' Example: Read or write blobs in named storage account with specific encryption scope |
Property | Value |
---|---|
Display name | Blob index tags [Keys] |
Description | Index tags on a blob resource. Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check the key in blob index tags. Available only for storage accounts where hierarchical namespace is not enabled. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$& |
Attribute source | Resource Request |
Attribute type | StringList |
Is key case sensitive | True |
Hierarchical namespace support | False |
Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'} Example: Existing blobs must have blob index tag keys |
Learn more | Manage and find Azure Blob data with blob index tags Azure Data Lake Storage hierarchical namespace |
Property | Value |
---|---|
Display name | Blob index tags [Values in key] |
Description | Index tags on a blob resource. Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check both the key (case-sensitive) and value in blob index tags. Available only for storage accounts where hierarchical namespace is not enabled. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags |
Attribute source | Resource Request |
Attribute type | String |
Is key case sensitive | True |
Hierarchical namespace support | False |
Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags: keyname<$key_case_sensitive$> @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade' Example: Read blobs with a blob index tag |
Learn more | Manage and find Azure Blob data with blob index tags Azure Data Lake Storage hierarchical namespace |
Property | Value |
---|---|
Display name | Blob path |
Description | Path of a virtual directory, blob, folder or file resource. Use when you want to check the blob name or folders in a blob path. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path |
Attribute source | Resource |
Attribute type | String |
Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*' Example: Read blobs in named containers with a path |
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path
attribute, the values shouldn't include the container name or a preceding slash (/
) character. Use the path characters without any URL encoding.
Property | Value |
---|---|
Display name | Blob prefix |
Description | Allowed prefix of blobs to be listed. Path of a virtual directory or folder resource. Use when you want to check the folders in a blob path. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix |
Attribute source | Request |
Attribute type | String |
Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/' Example: Read or list blobs in named containers with a path |
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix
attribute, the values shouldn't include the container name or a preceding slash (/
) character. Use the path characters without any URL encoding.
Property | Value |
---|---|
Display name | Container name |
Description | Name of a storage container or file system. Use when you want to check the container name. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers:name |
Attribute source | Resource |
Attribute type | String |
Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' Example: Read, write, or delete blobs in named containers |
Property | Value |
---|---|
Display name | Container metadata |
Description | Metadata key/value pair associated with a container. Use when you want to check specific metadata for a container. Currently in preview. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/metadata |
Attribute source | Resource |
Attribute type | String |
Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue' Example: Read blobs in a container with specific metadata Example: Write or delete blobs in container with specific metadata |
Property | Value |
---|---|
Display name | Encryption scope name |
Description | Name of the encryption scope used to encrypt data. |
Attribute | Microsoft.Storage/storageAccounts/encryptionScopes:name |
Attribute source | Resource |
Attribute type | String |
Exists support | True |
Examples | @Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name] ForAnyOfAnyValues:StringEquals {'validScope1', 'validScope2'} Example: Read blobs with specific encryption scopes |
Learn more | Create and manage encryption scopes |
Property | Value |
---|---|
Display name | Is Current Version |
Description | Whether the resource is the current version of the blob, in contrast to a snapshot or a specific blob version. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion |
Attribute source | Resource |
Attribute type | Boolean |
Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals true Example: Read only current blob versions Example: Read current blob versions and a specific blob version |
Property | Value |
---|---|
Display name | Is hierarchical namespace enabled |
Description | Whether hierarchical namespace is enabled on the storage account. Applicable only at resource group scope or higher. |
Attribute | Microsoft.Storage/storageAccounts:isHnsEnabled |
Attribute source | Resource |
Attribute type | Boolean |
Examples | @Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true Example: Read only storage accounts with hierarchical namespace enabled |
Learn more | Azure Data Lake Storage hierarchical namespace |
Property | Value |
---|---|
Display name | Is private link |
Description | Whether access is over a private link. Use to require access over any private link. |
Attribute | isPrivateLink |
Attribute source | Environment |
Attribute type | Boolean |
Applies to | For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source: Copy Blob Copy Blob From URL Put Blob From URL Put Block From URL Append Block From URL Put Page From URL For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation |
Examples | @Environment[isPrivateLink] BoolEquals true Example: Require private link access to read blobs with high sensitivity |
Learn more | Use private endpoints for Azure Storage |
Property | Value |
---|---|
Display name | List blob include |
Description | Information that can be included with a List Blobs operation, such as metadata, snapshots, or versions. Use when you want to allow or restrict values for the include parameter when calling the List Blobs operation.Currently in preview. Available only for storage accounts where hierarchical namespace is not enabled. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include |
Attribute source | Request |
Attribute type | String |
Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAnyValues:StringEqualsIgnoreCase {'metadata', 'snapshots', 'versions'} @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAllValues:StringNotEquals {'metadata'} Example: Allow list blob operation to include blob metadata, snapshots, or versions Example: Restrict list blob operation to not include blob metadata |
Property | Value |
---|---|
Display name | Private endpoint |
Description | The private endpoint over which an object is accessed. Use to restrict access over a specific private endpoint. Available only for storage accounts in subscriptions that have at least one private endpoint configured. |
Attribute | Microsoft.Network/privateEndpoints |
Attribute source | Environment |
Attribute type | String |
Applies to | For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source: Copy Blob Copy Blob From URL Put Blob From URL Put Block From URL Append Block From URL Put Page From URL For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation |
Examples | @Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1' Example: Allow read access to a container only from a specific private endpoint |
Learn more | Use private endpoints for Azure Storage |
Property | Value |
---|---|
Display name | Snapshot |
Description | The Snapshot identifier for the Blob snapshot. Available only for storage accounts where hierarchical namespace is not enabled and currently in preview for storage accounts where hierarchical namespace is enabled. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot |
Attribute source | Request |
Attribute type | DateTime |
Exists support | True |
Hierarchical namespace support | False |
Examples | Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot] Example: Read current blob versions and any blob snapshots |
Learn more | Blob snapshots Azure Data Lake Storage hierarchical namespace |
Property | Value |
---|---|
Display name | Subnet |
Description | The subnet over which an object is accessed. Use to restrict access to a specific subnet. Available only for storage accounts in subscriptions that have at least one virtual network subnet using service endpoints configured. |
Attribute | Microsoft.Network/virtualNetworks/subnets |
Attribute source | Environment |
Attribute type | String |
Applies to | For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source: Copy Blob Copy Blob From URL Put Blob From URL Put Block From URL Append Block From URL Put Page From URL For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation |
Examples | @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default' Example: Allow access to blobs in specific containers from a specific subnet |
Learn more | Subnets |
Property | Value |
---|---|
Display name | UTC now |
Description | The current date and time in Coordinated Universal Time. Use to control access to objects for a specific date and time period. |
Attribute | UtcNow |
Attribute source | Environment |
Attribute type | DateTime (Only operators DateTimeGreaterThan and DateTimeLessThan are supported for the UTC now attribute.) |
Examples | @Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.0Z' Example: Allow read access to blobs after a specific date and time |
Property | Value |
---|---|
Display name | Version ID |
Description | The version ID of the versioned Blob. Available only for storage accounts where hierarchical namespace is not enabled. |
Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId |
Attribute source | Request |
Attribute type | DateTime |
Exists support | True |
Hierarchical namespace support | False |
Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeEquals '2022-06-01T23:38:32.8883645Z' Example: Read current blob versions and a specific blob version Example: Read current blob versions and any blob snapshots |
Learn more | Azure Data Lake Storage hierarchical namespace |