Tutorial: Add a role assignment condition to restrict access to blobs using the Azure portal

In most cases, a role assignment will grant the permissions you need to Azure resources. However, in some cases you might want to provide more granular access control by adding a role assignment condition.

In this tutorial, you learn how to:

  • Add a condition to a role assignment
  • Restrict access to blobs based on a blob index tag

Important

Currently, Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access only to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request and resource attributes in the standard storage account performance tier. It is either not available or in PREVIEW for other storage account performance tiers, resource types, and attributes. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

For information about the prerequisites to add or edit role assignment conditions, see Conditions prerequisites.

Condition

In this tutorial, you restrict access to blobs with a specific tag. For example, you add a condition to a role assignment so that Chandra can only read files with the tag Project=Cascade.

Diagram of role assignment with a condition.

If Chandra tries to read a blob without the tag Project=Cascade, access is not allowed.

Diagram showing read access to blobs with Project=Cascade tag.

Here is what the condition looks like in code:

(
    (
        !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}
        AND NOT
        SubOperationMatches{'Blob.List'})
    )
    OR
    (
        @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEqualsIgnoreCase 'Cascade'
    )
)

Step 1: Create a user

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Click Azure Active Directory.

  3. Create a user or find an existing user. This tutorial uses Chandra as the example.

Step 2: Set up storage

  1. Create a storage account that is compatible with the blob index tags feature. For more information, see Manage and find Azure Blob data with blob index tags.

  2. Create a new container within the storage account and set the Public access level to Private (no anonymous access).

  3. In the container, click Upload to open the Upload blob pane.

  4. Find a text file to upload.

  5. Click Advanced to expand the pane.

  6. In the Blob index tags section, add the following blob index tag to the text file.

    If you don't see the Blob index tags section and you just registered your subscription, you might need to wait a few minutes for changes to propagate. For more information, see Use blob index tags to manage and find data on Azure Blob Storage.

    Note

    Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions.

    Key Value
    Project Cascade

Screenshot showing Upload blob pane with Blog index tags section.

  1. Click the Upload button to upload the file.

  2. Upload a second text file.

  3. Add the following blob index tag to the second text file.

    Key Value
    Project Baker

Step 3: Assign a storage blob data role

  1. Open the resource group.

  2. Click Access control (IAM).

  3. Click the Role assignments tab to view the role assignments at this scope.

  4. Click Add > Add role assignment. The Add role assignment page opens:

Screenshot of Add > Add role assignment menu.

  1. On the Roles tab, select the Storage Blob Data Reader role.

Screenshot of Add role assignment page with Roles tab.

  1. On the Members tab, select the user you created earlier.

Screenshot of Add role assignment page with Members tab.

  1. (Optional) In the Description box, enter Read access to blobs with the tag Project=Cascade.

  2. Click Next.

Step 4: Add a condition

  1. On the Conditions (optional) tab, click Add condition. The Add role assignment condition page appears:

Screenshot of Add role assignment condition page for a new condition.

  1. In the Add action section, click Add action.

    The Select an action pane appears. This pane is a filtered list of data actions based on the role assignment that will be the target of your condition. Check the box next to Read a blob, then click Select:

Screenshot of Select an action pane with an action selected.

  1. In the Build expression section, click Add expression.

    The Expression section expands.

  2. Specify the following expression settings:

    Setting Value
    Attribute source Resource
    Attribute Blob index tags [Values in key]
    Key Project
    Operator StringEqualsIgnoreCase
    Value Cascade

Screenshot of Build expression section for blob index tags.

  1. Scroll up to Editor type and click Code.

    The condition is displayed as code. You can make changes to the condition in this code editor. To go back to the visual editor, click Visual.

Screenshot of condition displayed in code editor.

  1. Click Save to add the condition and return to the Add role assignment page.

  2. Click Next.

  3. On the Review + assign tab, click Review + assign to assign the role with a condition.

    After a few moments, the security principal is assigned the role at the selected scope.

Screenshot of role assignment list after assigning role.

Step 5: Assign Reader role

  • Repeat the previous steps to assign the Reader role to the user you created earlier at resource group scope.

    Note

    You typically don't need to assign the Reader role. However, this is done so that you can test the condition using the Azure portal.

Step 6: Test the condition

  1. In a new window, open the Azure portal.

  2. Sign in as the user you created earlier.

  3. Open the storage account and container you created.

  4. Ensure that the authentication method is set to Azure AD User Account and not Access key.

Screenshot of storage container with test files.

  1. Click the Baker text file.

    You should NOT be able to view or download the blob and an authorization failed message should be displayed.

  2. Click Cascade text file.

    You should be able to view and download the blob.

Step 7: Clean up resources

  1. Remove the role assignment you added.

  2. Delete the test storage account you created.

  3. Delete the user you created.

Next steps