Restrict Access to Containers and Blobs

By default, a container and any blobs within it may be accessed only by the owner of the storage account. If you want to give anonymous users read permissions to a container and its blobs, you can set the container permissions to allow public access. Anonymous users can read blobs within a publicly accessible container without authenticating the request.

Containers provide the following options for managing container access:

• Full public read access: Container and blob data can be read via anonymous request. Clients can enumerate blobs within the container via anonymous request, but cannot enumerate containers within the storage account.
  
  
• Public read access for blobs only: Blob data within this container can be read via anonymous request, but container data is not available. Clients cannot enumerate blobs within the container via anonymous request.
  
  
• No public read access: Container and blob data can be read by the account owner only.
  
  

Note
If your service requires that you exercise more granular control over blob resources, or if you wish to provide permissions for operations other than read operations, you can use a Shared Access Signature to make a resource accessible to users. See Create a Shared Access Signature for more information.

Features Available to Anonymous Users

The following table shows which operations may be called by anonymous users when a container's ACL is set to allow public access.

 

REST Operation	.NET method	Permission with full public read access	Permission with public read access for blobs only
List Containers (REST API)	ListContainers	Owner only	Owner only
Create Container (REST API)	Create	Owner only	Owner only
Get Container Properties (REST API)	Properties	All	Owner only
Get Container Metadata (REST API)	Metadata	All	Owner only
Set Container Metadata (REST API)	Metadata	Owner only	Owner only
Get Container ACL (REST API)	BlobContainerPermissions	Owner only	Owner only
Set Container ACL (REST API)	BlobContainerPermissions	Owner only	Owner only
Delete Container (REST API)	Delete	Owner only	Owner only
List Blobs (REST API)	ListBlobs	All	Owner only
Put Blob (REST API)	Create method of CloudPageBlob or CloudBlockBlob	Owner only	Owner only
Get Blob (REST API)	DownloadByteArray and others	All	All
Get Blob Properties (REST API)	Properties	All	All
Set Blob Properties (REST API)	SetProperties	Owner only	Owner only
Get Blob Metadata (REST API)	Metadata	All	All
Set Blob Metadata (REST API)	Metadata	Owner only	Owner only
Put Block (REST API)	PutBlock	Owner only	Owner only
Get Block List (REST API) (committed blocks only)	DownloadBlockList	All	All
Get Block List (REST API) (uncommitted blocks only or all blocks)	DownloadBlockList	Owner only	Owner only
Put Block List (REST API)	PutBlockList	Owner only	Owner only
Delete Blob (REST API)	Delete	Owner only	Owner only
Copy Blob (REST API)	CopyFromBlob	Owner only	Owner only
Snapshot Blob (REST API)	CreateSnapshot	Owner only	Owner only
Lease Blob (REST API)	Lease	Owner only	Owner only
Put Page (REST API)	WritePages	Owner only	Owner only
Get Page Ranges (REST API)	GetPageRanges	All	All

Features by REST API Version

If a container is made public using the 2009-09-19 version of Set Container ACL (REST API), then all anonymous read access to the container and its resources will use the 2009-09-19 read operations if a default version has not been set. You can set the default version for requests to the Blob service by using the Set Blob Service Properties (REST API) operation. If a container was made public using a version of Set Container ACL prior to 2009-09-19, then all anonymous read access to the container and its resources will use the use the pre-release default read operations.

See Also

Reference

Set Container ACL (REST API)
SetPermissions

Other Resources

Manage Access to Containers, Blobs, Tables, and Queues
How to Use the Blob Storage Service
How to Use the Table Storage Service
How to Use the Queue Storage Service