This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Blob service operations that a specific permission or DataAction affects, see Permissions for Blob service operations.
To understand the role assignment condition format, see Azure role assignment condition format and syntax.
Important
Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request, resource, environment, and principal attributes in both the standard and premium storage account performance tiers. Currently, the list blob include request attribute and snapshot request attribute for hierarchical namespace are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
SuboperationsMultiple Storage service operations can be associated with a single permission or DataAction. However, each of these operations that are associated with the same permission might support different parameters. Suboperations enable you to differentiate between service operations that require the same permission but support a different set of attributes for conditions. Thus, by using a suboperation, you can specify one condition for access to a subset of operations that support a given parameter. Then, you can use another access condition for operations with the same action that doesn't support that parameter.
For example, the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action is required for over a dozen different service operations. Some of these operations can accept blob index tags as a request parameter, while others don't. For operations that accept blob index tags as a parameter, you can use blob index tags in a Request condition. However, if such a condition is defined on the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action, all operations that don't accept tags as a request parameter can't evaluate this condition, and fails the authorization access check.
In this case, the optional suboperation Blob.Write.WithTagHeaders can be used to apply a condition to only those operations that support blob index tags as a request parameter.
Note
Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see Manage and find Azure Blob data with blob index tags.
Azure Blob Storage actions and suboperationsThis section lists the supported Azure Blob Storage actions and suboperations you can target for conditions. They're summarized in the following table:
List blobs Read a blob Read content from a blob with tag conditionsImportant
The Read content from a blob with tag conditions suboperation has been deprecated. Although it is currently supported for compatibility with conditions implemented during the ABAC feature preview, Microsoft recommends using the Read a blob action instead.
When configuring ABAC conditions in the Azure portal, you might see DEPRECATED: Read content from a blob with tag conditions. Microsoft recommends removing the operation and replacing it with the Read a blob action.
If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to Example: Read blobs with a blob index tag.
Read blob index tags Find blobs by tags Write to a blob Sets the access tier on a blob Write to a blob with blob index tags Create a blob or snapshot, or append data Write blob index tags Write Blob legal hold and immutability policy Delete a blob Delete a version of a blob Permanently delete a blob overriding soft-delete Modify permissions of a blob Change ownership of a blob Rename a file or a directory All data operations for accounts with hierarchical namespace enabled Azure Blob Storage attributesThis section lists the Azure Blob Storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
Note
Attributes and values listed are considered case-insensitive, unless stated otherwise.
The following table summarizes the available attributes by source:
Account name Blob index tags [Keys] Blob index tags [Values in key] Property Value Display name Blob index tags [Values in key] Description Index tags on a blob resource.Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags Attribute source Resource
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:keyname<$key_case_sensitive$>
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'
Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path Attribute source Resource Attribute type String Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.
Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix Attribute source Request Attribute type String Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'
Note
When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.
Microsoft.Storage/storageAccounts/blobServices/containers:name Attribute source Resource Attribute type String Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
include parameter when calling the List Blobs operation.
Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include Attribute source Request Attribute type String Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAnyValues:StringEqualsIgnoreCaseâ¯{'metadata',â¯'snapshots',â¯'versions'}
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAllValues:StringNotEquals {'metadata'}
Microsoft.Network/virtualNetworks/subnets Attribute source Environment Attribute type String Applies to For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source:
For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation
Examples@Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'
UtcNow Attribute source Environment Attribute type DateTime
@Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.0Z'
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4