Export (0) Print
Expand All

Restrict Access to Containers and Blobs

Updated: April 22, 2014

By default, a container and any blobs within it may be accessed only by the owner of the storage account. If you want to give anonymous users read permissions to a container and its blobs, you can set the container permissions to allow public access. Anonymous users can read blobs within a publicly accessible container without authenticating the request.

Containers provide the following options for managing container access:

  • Full public read access: Container and blob data can be read via anonymous request. Clients can enumerate blobs within the container via anonymous request, but cannot enumerate containers within the storage account.

  • Public read access for blobs only: Blob data within this container can be read via anonymous request, but container data is not available. Clients cannot enumerate blobs within the container via anonymous request.

  • No public read access: Container and blob data can be read by the account owner only.

noteNote
If your service requires that you exercise more granular control over blob resources, or if you wish to provide permissions for operations other than read operations, you can use a Shared Access Signature to make a resource accessible to users. See Create and Use a Shared Access Signature for more information.

The following table shows which operations may be called by anonymous users when a container's ACL is set to allow public access.

 

REST Operation .NET method Permission with full public read access Permission with public read access for blobs only

List Containers

ListContainers

Owner only

Owner only

Create Container

Create

Owner only

Owner only

Get Container Properties

Properties

All

Owner only

Get Container Metadata

Metadata

All

Owner only

Set Container Metadata

Metadata

Owner only

Owner only

Get Container ACL

BlobContainerPermissions

Owner only

Owner only

Set Container ACL

BlobContainerPermissions

Owner only

Owner only

Delete Container

Delete

Owner only

Owner only

List Blobs

ListBlobs

All

Owner only

Put Blob

Create method of CloudPageBlob or CloudBlockBlob

Owner only

Owner only

Get Blob

DownloadByteArray and others

All

All

Get Blob Properties

Properties

All

All

Set Blob Properties

SetProperties

Owner only

Owner only

Get Blob Metadata

Metadata

All

All

Set Blob Metadata

Metadata

Owner only

Owner only

Put Block

PutBlock

Owner only

Owner only

Get Block List (committed blocks only)

DownloadBlockList

All

All

Get Block List (uncommitted blocks only or all blocks)

DownloadBlockList

Owner only

Owner only

Put Block List

PutBlockList

Owner only

Owner only

Delete Blob

Delete

Owner only

Owner only

Copy Blob

CopyFromBlob

Owner only

Owner only

Snapshot Blob

CreateSnapshot

Owner only

Owner only

Lease Blob

Lease

Owner only

Owner only

Put Page

WritePages

Owner only

Owner only

Get Page Ranges

GetPageRanges

All

All

If a container is made public using the 2009-09-19 version of Set Container ACL, then all anonymous read access to the container and its resources will use the 2009-09-19 read operations if a default version has not been set. You can set the default version for requests to the Blob service by using the Set Blob Service Properties operation. If a container was made public using a version of Set Container ACL prior to 2009-09-19, then all anonymous read access to the container and its resources will use the use the pre-release default read operations.

See Also

Show:
© 2014 Microsoft