Find Blobs by Tags
Find Blobs by Tags operation finds all blobs in the storage account whose tags match a search expression.
You can construct the
Find Blobs by Tags request as follows. We recommend HTTPS. Replace myaccount with the name of your storage account.
|GET method request URI||HTTP version|
You can specify the following additional parameters on the request URI:
||Required. Filters the result set to include only blobs whose tags match the specified expression.
For more information on how to construct this expression, see Remarks.
||Optional. A string value that identifies the portion of the result set to be returned with the next operation. The operation returns a marker value within the response body if the returned result set was not complete. The marker value can then be used in a subsequent call to request the next set of items.
The marker value is opaque to the client.
||Optional. Specifies the maximum number of blobs to return. If the request doesn't specify
||Optional. Expressed in seconds. For more information, see Set timeouts for Blob Storage operations.|
The following table describes required and optional request headers:
||Required. Specifies the authorization scheme, account name, and signature. For more information, see Authorize requests to Azure Storage.|
||Required. Specifies the Coordinated Universal Time (UTC) for the request. For more information, see Authorize requests to Azure Storage.|
||Required for all authorized requests, but optional for anonymous requests. Specifies the version of the operation to use for this request. For more information, see Versioning for the Azure Storage services.|
||Optional. Provides a client-generated, opaque value with a 1-kibibyte (KiB) character limit that's recorded in the logs when logging is configured. We highly recommend that you use this header to correlate client-side activities with requests that the server receives.|
The response includes an HTTP status code, response headers, and a response body.
A successful operation returns status code 200 (OK).
For information about status codes, see Status and error codes.
The response for this operation includes the following headers. The response might also include additional standard HTTP headers. All standard headers conform to the HTTP/1.1 protocol specification.
||Specifies the size of the returned XML document, in bytes.|
||Uniquely identifies the request that was made. You can use it to troubleshoot the request. For more information, see Troubleshoot API operations.|
||Indicates the version of Azure Blob Storage that was used to execute the request.|
||A UTC date/time value that indicates the time at which the service sent the response.|
||Can be used to troubleshoot requests and corresponding responses. The value of this header is equal to the value of the
In version 2020-04-08 and later, the blob's matching tags are encapsulated within a
Tags element. The format of the response body is as follows:
<?xml version="1.0" encoding="utf-8"?> <EnumerationResults ServiceEndpoint=http://myaccount.blob.core.windows.net/> <Where>string-value</Where> <Blobs> <Blob> <Name>blob-name</Name> <ContainerName>container-name</ContainerName> <Tags> <TagSet> <Tag> <Key>matching-tag-name1</Key> <Value>matching-tag-value1</Value> </Tag> <Tag> <Key>matching-tag-name2</Key> <Value>matching-tag-value2</Value> </Tag> </TagSet> </Tags> </Blob> </Blobs> <NextMarker /> </EnumerationResults>
The response body is a well-formed UTF-8 XML document.
Authorization is required when calling any data access operation in Azure Storage. You can authorize the
Find Blobs by Tags operation as described below.
Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal. The security principal may be a user, group, application service principal, or Azure managed identity. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.
To learn more about authorization using Azure AD, see Authorize access to blobs using Azure Active Directory.
Listed below are the RBAC action necessary for an Azure AD user, group, or service principal to call the
Find Blobs by Tags operation, and the least privileged built-in Azure RBAC role that includes this action:
- Azure RBAC action: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action
- Least privileged built-in role: Storage Blob Data Owner
To learn more about assigning roles using Azure RBAC, see Assign an Azure role for access to blob data.
Find Blobs by Tags operation is supported in REST API version 2019-12-12 and later.
The secondary index that
Find Blobs by Tags uses is eventually consistent. Updates to blob tags via
Set Blob Tags might not be immediately visible to
Find Blobs by Tags operations.
Constructing a search expression
where URI parameter finds blobs in the storage account whose tags match an expression. The expression must evaluate to
true for a blob to be returned in the result set.
The storage service supports a subset of the ANSI SQL
WHERE clause grammar for the value of the
where=<expression> query parameter. The storage service supports the following operators:
||Greater than or equal||
||Less than or equal||
||Specify a container||
The value of the
where URI parameter must be properly URI encoded (including spaces and operators). The preceding examples omit this for readability.
All tag values are strings. The supported binary relational operators use a lexicographic sorting of the tag values. To support non-string data types, including numbers and dates, you must use appropriate padding and sortable formatting. Tag values must be enclosed in single quotation marks.
If tag names are regular SQL identifiers, they can be present without escaping. If they contain any special characters, they must be delimited with double quotation marks (for example,
TagValue). We recommend that you always enclose tag names in double quotation marks.
The storage service will reject any request that contains an invalid expression with error code 400 (Bad Request).
Pricing requests can originate from clients that use Blob Storage APIs, either directly through the Blob Storage REST API, or from an Azure Storage client library. These requests accrue charges per transaction. The type of transaction affects how the account is charged. For example, read transactions accrue to a different billing category than write transactions. The following table shows the billing category for
Find Blobs by Tags requests based on the storage account type:
|Operation||Storage account type||Billing category|
|Find Blobs by Tags||Premium block blob
Standard general-purpose v2
Standard general-purpose v1
|List and Create Container operations|
To learn about pricing for the specified billing category, see Azure Blob Storage Pricing.