Let a user view and modify only on container in a storage account

Quitrie LAGRANDE 0 Reputation points
2023-11-05T15:08:52.77+00:00

I want the user to see only one container and hide others in a storage account.

The problem, that I can give Read access on the storage account level which means that the user will see all containers, and if I give access on the Container level the user won't be able to see anything.

Thank you

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,976 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
837 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,433 questions
{count} votes

2 answers

Sort by: Most helpful
  1. AirGordon 7,125 Reputation points
    2023-11-05T16:30:06.9533333+00:00

    Make sure that you're using Role Based assignments, eg. Storage Blob Data Reader or Storage Blob Data Contributor

    Then to grant access to just a single container, you'll assign an RBAC role at the container scope. https://learn.microsoft.com/en-us/azure/storage/blobs/blob-containers-portal#manage-azure-rbac-role-assignments-for-the-container

    0 comments No comments

  2. Siva Villa 285 Reputation points Microsoft Employee
    2023-11-07T04:45:02.4833333+00:00

    @Quitrie LAGRANDE

    I would like to highlight that users must have Reader permissions for storage in order to access storage account resources/containers. These permissions do not grant the ability to modify data in Azure storage.

     In order to meet your requirement, I would suggest granting Reader permissions at the storage account level and Storage Blob data contributor permissions at the container level. This will enable users to access the specific container while maintaining restrictions on access to other containers within the storage account.

    Assign an Azure role for access to blob data - Azure Storage | Microsoft Learn

    Another solution is to generate a SAS (Shared Access Signature) token at the storage container level and then attach it to an individual blob container within the storage explorer. This approach allows for controlled and secure access to that specific container, maintaining the required restrictions.

    User's image

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.