Find Blobs by Tags in Container

The Find Blobs by Tags in Container operation finds all blobs whose tags match a search expression in a container.

Request

You can construct the Find Blobs by Tags in Container request as follows. We recommend HTTPS. Replace myaccount with the name of your storage account and mycontainer with name of your storage container.

GET method request URI HTTP version
https://myaccount.blob.core.windows.net/mycontainer?restype=container&comp=blobs&where=<expression> HTTP/1.1

URI parameters

You can specify the following additional parameters on the request URI:

Parameter Description
expression Required. Filters the result set to include only blobs whose tags match the specified expression.

For information on how to construct this expression, see Remarks later in this article.
marker Optional. A string value that identifies the portion of the result set to be returned with the next operation. The operation returns a marker value within the response body if the returned result set was not complete. The marker value can then be used in a subsequent call to request the next set of items.

The marker value is opaque to the client.
maxresults Optional. Specifies the maximum number of blobs to return. If the request doesn't specify maxresults or specifies a value greater than 5,000, the server returns up to 5,000 items. If there are additional results to return, the service returns a continuation token in the NextMarker response element. In certain cases, the service might return fewer results than maxresults specifies but still return a continuation token.

Setting maxresults to a value less than or equal to zero results in error response code 400 (Bad Request).
timeout Optional. Expressed in seconds. For more information, see Set timeouts for Blob Storage operations.

Request headers

The following table describes required and optional request headers:

Request header Description
Authorization Required. Specifies the authorization scheme, account name, and signature. For more information, see Authorize requests to Azure Storage.
Date or x-ms-date Required. Specifies the Coordinated Universal Time (UTC) for the request. For more information, see Authorize requests to Azure Storage.
x-ms-version Required for all authorized requests, but optional for anonymous requests. Specifies the version of the operation to use for this request. For more information, see Versioning for the Azure Storage services.
x-ms-client-request-id Optional. Provides a client-generated, opaque value with a 1-kibibyte (KiB) character limit that's recorded in the logs when logging is configured. We highly recommend that you use this header to correlate client-side activities with requests that the server receives.

Request body

None.

Response

The response includes an HTTP status code, response headers, and a response body.

Status code

A successful operation returns status code 200 (OK).

For information about status codes, see Status and error codes.

Response headers

The response for this operation includes the following headers. The response might also include additional standard HTTP headers. All standard headers conform to the HTTP/1.1 protocol specification.

Response header Description
Content-Type Specifies application/xml as the content type.
Content-Length Specifies the size of the returned XML document, in bytes.
x-ms-request-id Uniquely identifies the request that was made. You can use it to troubleshoot the request. For more information, see Troubleshoot API operations.
x-ms-version Indicates the version of Azure Blob Storage that was used to execute the request.
Date A UTC date/time value that indicates the time at which the service sent the response.
x-ms-client-request-id Can be used to troubleshoot requests and corresponding responses. The value of this header is equal to the value of the x-ms-client-request-id header, if it's present in the request and the value is at most 1,024 visible ASCII characters. If the x-ms-client-request-id header is not present in the request, this header won't be present in the response.

Response body

The format of the response body is as follows:

<?xml version="1.0" encoding="utf-8"?>  
<EnumerationResults ServiceEndpoint=http://myaccount.blob.core.windows.net/>  
  <Where>string-value</Where>  
  <Blobs>  
    <Blob>  
      <Name>blob-name</Name>  
      <ContainerName>container-name</ContainerName>  
      <Tags>
        <TagSet>
          <Tag>
            <Key>matching-tag-name1</Key>
            <Value>matching-tag-value1</Value>
          </Tag>
          <Tag>
            <Key>matching-tag-name2</Key>
            <Value>matching-tag-value2</Value>
          </Tag>
        </TagSet>
      </Tags> 
    </Blob>  
  </Blobs>  
  <NextMarker />  
</EnumerationResults>  

The response body is a well-formed UTF-8 XML document.

Authorization

Authorization is required when calling any data access operation in Azure Storage. You can authorize the Find Blobs by Tags in Container operation as described below.

Important

Microsoft recommends using Microsoft Entra ID with managed identities to authorize requests to Azure Storage. Microsoft Entra ID provides superior security and ease of use compared to Shared Key authorization.

Azure Storage supports using Microsoft Entra ID to authorize requests to blob data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal. The security principal may be a user, group, application service principal, or Azure managed identity. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.

To learn more about authorization using Microsoft Entra ID, see Authorize access to blobs using Microsoft Entra ID.

Permissions

Listed below are the RBAC action necessary for a Microsoft Entra user, group, managed identity, or service principal to call the Find Blobs by Tags in Container operation, and the least privileged built-in Azure RBAC role that includes this action:

To learn more about assigning roles using Azure RBAC, see Assign an Azure role for access to blob data.

Remarks

The Find Blobs by Tags in Container operation is supported in REST API version 2021-04-10 and later.

The secondary index that Find Blobs by Tags in Container uses is eventually consistent. Updates to blob tags via Set Blob Tags might not be immediately visible to Find Blobs by Tags in Container operations.

Constructing a search expression

The where URI parameter finds blobs in the storage account and container whose tags match an expression. The expression must evaluate to true for a blob to be returned in the result set.

The storage service supports a subset of the ANSI SQL WHERE clause grammar for the value of the where=<expression> query parameter. The storage service supports the following operators:

Operator Description Example
= Equal &where=Status = 'In Progress'
> Greater than &where=LastModified > '2018-06-18 20:51:26Z'
>= Greater than or equal &where=Priority >= '05'
< Less than &where=Age < '032'
<= Less than or equal &where=Reviewer <= 'Smith'
AND Logical and &where=Name > 'C' AND Name < 'D'
&where=Age > '032' AND Age < '100'

Note

The value of the where URI parameter must be properly URI encoded (including spaces and operators). The preceding examples omit this for readability. @container is not supported when the container is part of a URI.

All tag values are strings. The supported binary relational operators use a lexicographic sorting of the tag values. To support non-string data types, including numbers and dates, you must use appropriate padding and sortable formatting. Tag values must be enclosed in single quotation marks.

If tag names are regular SQL identifiers, they can be present without escaping. If they contain any special characters, they must be delimited with double quotation marks (for example, "TagName" = TagValue). We recommend that you always enclose tag names in double quotation marks.

The storage service will reject any request that contains an invalid expression with error code 400 (Bad Request).

Billing

Pricing requests can originate from clients that use Blob Storage APIs, either directly through the Blob Storage REST API, or from an Azure Storage client library. These requests accrue charges per transaction. The type of transaction affects how the account is charged. For example, read transactions accrue to a different billing category than write transactions. The following table shows the billing category for Find Blobs by Tags in Container requests based on the storage account type:

Operation Storage account type Billing category
Find Blobs by Tags in Container Premium block blob
Standard general-purpose v2
Standard general-purpose v1
List and Create Container operations

To learn about pricing for the specified billing category, see Azure Blob Storage Pricing.

See also

Manage and find data on Azure Blob Storage with blob index tags
Authorize requests to Azure Storage
Status and error codes
Blob Storage error codes