Actions and attributes for Azure role assignment conditions for Azure Blob Storage
This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Blob service operations that are affected by a specific permission or DataAction, see Permissions for Blob service operations.
To understand the role assignment condition format, see Azure role assignment condition format and syntax.
Important
Currently, Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access only to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request and resource attributes in the standard storage account performance tier. It is either not available or in PREVIEW for other storage account performance tiers, resource types, and attributes. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Suboperations
Multiple Storage service operations can be associated with a single permission or DataAction. However, each of these operations that are associated with the same permission might support different parameters. Suboperations enable you to differentiate between service operations that require the same permission but support a different set of attributes for conditions. Thus, by using a suboperation, you can specify one condition for access to a subset of operations that support a given parameter. Then, you can use another access condition for operations with the same action that doesn't support that parameter.
For example, the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action is required for over a dozen different service operations. Some of these operations can accept blob index tags as a request parameter, while others don't. For operations that accept blob index tags as a parameter, you can use blob index tags in a Request condition. However, if such a condition is defined on the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action, all operations that don't accept tags as a request parameter cannot evaluate this condition, and will fail the authorization access check.
In this case, the optional suboperation Blob.Write.WithTagHeaders can be used to apply a condition to only those operations that support blob index tags as a request parameter.
Note
Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see Manage and find Azure Blob data with blob index tags.
Storage accounts support the following suboperations:
| Display name | DataAction | Suboperation |
|---|---|---|
| List blobs | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
Blob.List |
| Read a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
NOT Blob.List |
| Read content from a blob with tag conditions | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
Blob.Read.WithTagConditions (deprecated) |
| Sets the access tier on a blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
Blob.Write.Tier |
| Write to a blob with blob index tags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
Blob.Write.WithTagHeaders |
Azure Blob Storage actions and suboperations
This section lists the supported Azure Blob Storage actions and suboperations you can target for conditions.
List blobs
| Property | Value |
|---|---|
| Display name | List blobs |
| Description | List blobs operation. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
| Suboperation | Blob.List |
| Resource attributes | Account name Is hierarchical namespace enabled Container name |
| Request attributes | Blob prefix |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})Example: Read or list blobs in named containers with a path |
Read a blob
| Property | Value |
|---|---|
| Display name | Read a blob |
| Description | All blob read operations excluding list. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
| Suboperation | NOT Blob.List |
| Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path Encryption scope name |
| Request attributes | Version ID Snapshot |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})Example: Read blobs in named containers with a path |
Read content from a blob with tag conditions
The Read content from a blob with tag conditions suboperation has been deprecated. Although it is currently supported for compatibility with conditions implemented during the ABAC feature preview, Microsoft recommends using the Read a blob action instead.
When configuring ABAC conditions in the Azure portal, you might see DEPRECATED: Read content from a blob with tag conditions. Microsoft recommends removing the operation and replacing it with the Read a blob action.
If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to Example: Read blobs with a blob index tag.
Read blob index tags
| Property | Value |
|---|---|
| Display name | Read blob index tags |
| Description | DataAction for reading blob index tags. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read |
| Suboperation | |
| Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path Blob index tags [Values in key] Blob index tags [Keys] |
| Request attributes | Version ID Snapshot |
| Principal attributes support | True |
| Learn more | Manage and find Azure Blob data with blob index tags |
Find blobs by tags
| Property | Value |
|---|---|
| Display name | Find blobs by tags |
| Description | DataAction for finding blobs by index tags. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action |
| Suboperation | |
| Resource attributes | Account name Is hierarchical namespace enabled |
| Request attributes | |
| Principal attributes support | True |
Write to a blob
| Property | Value |
|---|---|
| Display name | Write to a blob |
| Description | DataAction for writing to blobs. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
| Suboperation | |
| Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path Encryption scope name |
| Request attributes | |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})Example: Read, write, or delete blobs in named containers |
Sets the access tier on a blob
| Property | Value |
|---|---|
| Display name | Sets the access tier on a blob |
| Description | DataAction for writing to blobs. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
| Suboperation | Blob.Write.Tier |
| Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path Encryption scope name |
| Request attributes | Version ID Snapshot |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.Tier'}) |
Write to a blob with blob index tags
| Property | Value |
|---|---|
| Display name | Write to a blob with blob index tags |
| Description | REST operations: Put Blob, Put Block List, Copy Blob and Copy Blob From URL. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
| Suboperation | Blob.Write.WithTagHeaders |
| Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path Encryption scope name |
| Request attributes | Blob index tags [Values in key] Blob index tags [Keys] |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})Example: New blobs must include a blob index tag |
| Learn more | Manage and find Azure Blob data with blob index tags |
Create a blob or snapshot, or append data
| Property | Value |
|---|---|
| Display name | Create a blob or snapshot, or append data |
| Description | DataAction for creating blobs. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
| Suboperation | |
| Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path Encryption scope name |
| Request attributes | |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})Example: Read, write, or delete blobs in named containers |
Write blob index tags
| Property | Value |
|---|---|
| Display name | Write blob index tags |
| Description | DataAction for writing blob index tags. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write |
| Suboperation | |
| Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path Blob index tags [Values in key] Blob index tags [Keys] |
| Request attributes | Blob index tags [Values in key] Blob index tags [Keys] Version ID Snapshot |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})Example: Existing blobs must have blob index tag keys |
| Learn more | Manage and find Azure Blob data with blob index tags |
Write Blob legal hold and immutability policy
| Property | Value |
|---|---|
| Display name | Write Blob legal hold and immutability policy |
| Description | DataAction for writing Blob legal hold and immutability policy. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action |
| Suboperation | |
| Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
| Request attributes | |
| Principal attributes support | True |
Delete a blob
| Property | Value |
|---|---|
| Display name | Delete a blob |
| Description | DataAction for deleting blobs. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |
| Suboperation | |
| Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path |
| Request attributes | Version ID Snapshot |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})Example: Read, write, or delete blobs in named containers |
Delete a version of a blob
| Property | Value |
|---|---|
| Display name | Delete a version of a blob |
| Description | DataAction for deleting a version of a blob. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action |
| Suboperation | |
| Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
| Request attributes | Version ID |
| Principal attributes support | True |
| Examples | !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action'})Example: Delete old blob versions |
Permanently delete a blob overriding soft-delete
| Property | Value |
|---|---|
| Display name | Permanently delete a blob overriding soft-delete |
| Description | DataAction for permanently deleting a blob overriding soft-delete. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action |
| Suboperation | |
| Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path |
| Request attributes | Version ID Snapshot |
| Principal attributes support | True |
Modify permissions of a blob
| Property | Value |
|---|---|
| Display name | Modify permissions of a blob |
| Description | DataAction for modifying permissions of a blob. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action |
| Suboperation | |
| Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
| Request attributes | |
| Principal attributes support | True |
Change ownership of a blob
| Property | Value |
|---|---|
| Display name | Change ownership of a blob |
| Description | DataAction for changing ownership of a blob. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action |
| Suboperation | |
| Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
| Request attributes | |
| Principal attributes support | True |
Rename a file or a directory
| Property | Value |
|---|---|
| Display name | Rename a file or a directory |
| Description | DataAction for renaming files or directories. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action |
| Suboperation | |
| Resource attributes | Account name Is hierarchical namespace enabled Container name Blob path |
| Request attributes | |
| Principal attributes support | True |
All data operations for accounts with hierarchical namespace enabled
| Property | Value |
|---|---|
| Display name | All data operations for accounts with hierarchical namespace enabled |
| Description | DataAction for all data operations on storage accounts with hierarchical namespace enabled. If your role definition includes the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action action, you should target this action in your condition. Targeting this action ensures the condition will still work as expected if hierarchical namespace is enabled for a storage account. |
| DataAction | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action |
| Suboperation | |
| Resource attributes | Account name Is Current Version Is hierarchical namespace enabled Container name Blob path |
| Request attributes | |
| Principal attributes support | True |
| Examples | Example: Read, write, or delete blobs in named containers Example: Read blobs in named containers with a path Example: Read or list blobs in named containers with a path Example: Write blobs in named containers with a path Example: Read only current blob versions Example: Read current blob versions and any blob snapshots Example: Read only storage accounts with hierarchical namespace enabled |
| Learn more | Azure Data Lake Storage Gen2 hierarchical namespace |
Azure Blob Storage attributes
This section lists the Azure Blob Storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
Note
Attributes and values listed are considered case-insensitive, unless stated otherwise.
Account name
| Property | Value |
|---|---|
| Display name | Account name |
| Description | Name of a storage account. |
| Attribute | Microsoft.Storage/storageAccounts:name |
| Attribute source | Resource |
| Attribute type | String |
| Examples | @Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount'Example: Read or write blobs in named storage account with specific encryption scope |
Blob index tags [Keys]
| Property | Value |
|---|---|
| Display name | Blob index tags [Keys] |
| Description | Index tags on a blob resource. Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check the key in blob index tags. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$& |
| Attribute source | Resource Request |
| Attribute type | StringList |
| Is key case sensitive | True |
| Hierarchical namespace support | False |
| Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'}Example: Existing blobs must have blob index tag keys |
| Learn more | Manage and find Azure Blob data with blob index tags Azure Data Lake Storage Gen2 hierarchical namespace |
Blob index tags [Values in key]
| Property | Value |
|---|---|
| Display name | Blob index tags [Values in key] |
| Description | Index tags on a blob resource. Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check both the key (case-sensitive) and value in blob index tags. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags |
| Attribute source | Resource Request |
| Attribute type | String |
| Is key case sensitive | True |
| Hierarchical namespace support | False |
| Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:keyname<$key_case_sensitive$>@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'Example: Read blobs with a blob index tag |
| Learn more | Manage and find Azure Blob data with blob index tags Azure Data Lake Storage Gen2 hierarchical namespace |
Blob path
| Property | Value |
|---|---|
| Display name | Blob path |
| Description | Path of a virtual directory, blob, folder or file resource. Use when you want to check the blob name or folders in a blob path. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path |
| Attribute source | Resource |
| Attribute type | String |
| Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'Example: Read blobs in named containers with a path |
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.
Blob prefix
| Property | Value |
|---|---|
| Display name | Blob prefix |
| Description | Allowed prefix of blobs to be listed. Path of a virtual directory or folder resource. Use when you want to check the folders in a blob path. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix |
| Attribute source | Request |
| Attribute type | String |
| Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'Example: Read or list blobs in named containers with a path |
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.
Container name
| Property | Value |
|---|---|
| Display name | Container name |
| Description | Name of a storage container or file system. Use when you want to check the container name. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers:name |
| Attribute source | Resource |
| Attribute type | String |
| Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'Example: Read, write, or delete blobs in named containers |
Encryption scope name
| Property | Value |
|---|---|
| Display name | Encryption scope name |
| Description | Name of the encryption scope used to encrypt data. Available only for storage accounts where hierarchical namespace is not enabled. |
| Attribute | Microsoft.Storage/storageAccounts/encryptionScopes:name |
| Attribute source | Resource |
| Attribute type | String |
| Exists support | True |
| Examples | @Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name] ForAnyOfAnyValues:StringEquals {'validScope1', 'validScope2'}Example: Read blobs with specific encryption scopes |
| Learn more | Create and manage encryption scopes |
Is Current Version
| Property | Value |
|---|---|
| Display name | Is Current Version |
| Description | Identifies if the resource is the current version of the blob, in contrast of a snapshot or a specific blob version. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion |
| Attribute source | Resource |
| Attribute type | Boolean |
| Examples | @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals trueExample: Read only current blob versions Example: Read current blob versions and a specific blob version |
Is hierarchical namespace enabled
| Property | Value |
|---|---|
| Display name | Is hierarchical namespace enabled |
| Description | Whether hierarchical namespace is enabled on the storage account. Applicable only at resource group scope or above. |
| Attribute | Microsoft.Storage/storageAccounts:isHnsEnabled |
| Attribute source | Resource |
| Attribute type | Boolean |
| Examples | @Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals trueExample: Read only storage accounts with hierarchical namespace enabled |
| Learn more | Azure Data Lake Storage Gen2 hierarchical namespace |
Snapshot
| Property | Value |
|---|---|
| Display name | Snapshot |
| Description | The Snapshot identifier for the Blob snapshot. Available for storage accounts where hierarchical namespace is not enabled and currently in preview for storage accounts where hierarchical namespace is enabled. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot |
| Attribute source | Request |
| Attribute type | DateTime |
| Exists support | True |
| Hierarchical namespace support | False |
| Examples | Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot]Example: Read current blob versions and any blob snapshots |
| Learn more | Blob snapshots Azure Data Lake Storage Gen2 hierarchical namespace |
Version ID
| Property | Value |
|---|---|
| Display name | Version ID |
| Description | The version ID of the versioned Blob. Available only for storage accounts where hierarchical namespace is not enabled. |
| Attribute | Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId |
| Attribute source | Request |
| Attribute type | DateTime |
| Exists support | True |
| Hierarchical namespace support | False |
| Examples | @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeEquals '2022-06-01T23:38:32.8883645Z'Example: Read current blob versions and a specific blob version Example: Read current blob versions and any blob snapshots |
| Learn more | Azure Data Lake Storage Gen2 hierarchical namespace |
See also
Feedback
Submit and view feedback for