添加链接
link之家
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request.

Warning

When a container is configured for public access, any client can read data in that container. Public access presents a potential security risk, so if your scenario does not require it, we recommend that you disallow it for the storage account.

This article describes how to configure anonymous public read access for a container and its blobs. For information about how to remediate anonymous access for optimal security, see one of these articles:

  • Remediate anonymous public read access to blob data (Azure Resource Manager deployments)
  • Remediate anonymous public read access to blob data (classic deployments)
  • About anonymous public read access

    Public access to your data is always prohibited by default. There are two separate settings that affect public access:

  • Allow public access for the storage account. By default, an Azure Resource Manager storage account allows a user with the appropriate permissions to enable public access to a container. Blob data is not available for public access unless the user takes the additional step to explicitly configure the container's public access setting.
  • Configure the container's public access setting. By default, a container's public access setting is disabled, meaning that authorization is required for every request to the container or its data. A user with the appropriate permissions can modify a container's public access setting to enable anonymous access only if anonymous access is allowed for the storage account.
  • The following table summarizes how both settings together affect public access for a container.

    Public access level for the container is set to Private (default setting) Public access level for the container is set to Container Public access level for the container is set to Blob Public access is disallowed for the storage account No public access to any container in the storage account. No public access to any container in the storage account. The storage account setting overrides the container setting. No public access to any container in the storage account. The storage account setting overrides the container setting. Public access is allowed for the storage account (default setting) No public access to this container (default configuration). Public access is permitted to this container and its blobs. Public access is permitted to blobs in this container, but not to the container itself.

    When anonymous public access is permitted for a storage account and configured for a specific container, then a request to read a blob in that container that is passed without an Authorization header is accepted by the service, and the blob's data is returned in the response.

    Allow or disallow public read access for a storage account

    By default, a storage account is configured to allow a user with the appropriate permissions to enable public access to a container. When public access is allowed, a user with the appropriate permissions can modify a container's public access setting to enable anonymous public access to the data in that container. Blob data is never available for public access unless the user takes the additional step to explicitly configure the container's public access setting.

    Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. Regardless of the setting on the storage account, your data will never be available for public access unless a user with appropriate permissions takes this additional step to enable public access on the container.

    Disallowing public access for the storage account overrides the public access settings for all containers in that storage account, preventing anonymous access to blob data in that account. When public access is disallowed for the account, it is not possible to configure the public access setting for a container to permit anonymous access, and any future anonymous requests to that account will fail. Before changing this setting, be sure to understand the impact on client applications that may be accessing data in your storage account anonymously. For more information, see Prevent anonymous public read access to containers and blobs .

    Important

    After anonymous public access is disallowed for a storage account, clients that use the anonymous bearer challenge will find that Azure Storage returns a 403 error (Forbidden) rather than a 401 error (Unauthorized). We recommend that you make all containers private to mitigate this issue. For more information on modifying the public access setting for containers, see Set the public access level for a container .

    Allowing or disallowing blob public access requires version 2019-04-01 or later of the Azure Storage resource provider. For more information, see Azure Storage Resource Provider REST API .

    Permissions for disallowing public access

    To set the AllowBlobPublicAccess property for the storage account, a user must have permissions to create and manage storage accounts. Azure role-based access control (Azure RBAC) roles that provide these permissions include the Microsoft.Storage/storageAccounts/write action. Built-in roles with this action include:

  • The Azure Resource Manager Owner role
  • The Azure Resource Manager Contributor role
  • The Storage Account Contributor role
  • Role assignments must be scoped to the level of the storage account or higher to permit a user to disallow public access for the storage account. For more information about role scope, see Understand scope for Azure RBAC .

    Be careful to restrict assignment of these roles only to those administrative users who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see Best practices for Azure RBAC .

    These roles do not provide access to data in a storage account via Azure Active Directory (Azure AD). However, they include the Microsoft.Storage/storageAccounts/listkeys/action , which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account.

    The Microsoft.Storage/storageAccounts/listkeys/action itself grants data access via the account keys, but does not grant a user the ability to change the AllowBlobPublicAccess property for a storage account. For users who need to access data in your storage account but should not have the ability to change the storage account's configuration, consider assigning roles such as Storage Blob Data Contributor , Storage Blob Data Reader , or Reader and Data Access .

    The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager Owner role. The Owner role includes all actions, so a user with one of these administrative roles can also create storage accounts and manage account configuration. For more information, see Azure roles, Azure AD roles, and classic subscription administrator roles .

    Set the storage account's AllowBlobPublicAccess property

    To allow or disallow public access for a storage account, configure the account's AllowBlobPublicAccess property. This property is available for all storage accounts that are created with the Azure Resource Manager deployment model. For more information, see Storage account overview .

    The AllowBlobPublicAccess property is not set for a storage account by default and does not return a value until you explicitly set it. The storage account permits public access when the property value is either null or true .

    Azure portal PowerShell Azure CLI Template

    To allow or disallow public access for a storage account in the Azure portal, follow these steps:

  • Navigate to your storage account in the Azure portal.

  • Locate the Configuration setting under Settings .

  • Set Blob public access to Enabled or Disabled .

    To allow or disallow public access for a storage account with PowerShell, install Azure PowerShell version 4.4.0 or later. Next, configure the AllowBlobPublicAccess property for a new or existing storage account.

    The following example creates a storage account and explicitly sets the AllowBlobPublicAccess property to false . Remember to replace the placeholder values in brackets with your own values:

    $rgName = "<resource-group>"
    $accountName = "<storage-account>"
    $location = "<location>"
    # Create a storage account with AllowBlobPublicAccess set to false.
    New-AzStorageAccount -ResourceGroupName $rgName `
        -Name $accountName `
        -Location $location `
        -SkuName Standard_GRS `
        -AllowBlobPublicAccess $false
    # Read the AllowBlobPublicAccess property for the newly created storage account.
    (Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName).AllowBlobPublicAccess
    

    To allow or disallow public access for a storage account with Azure CLI, install Azure CLI version 2.9.0 or later. For more information, see Install the Azure CLI. Next, configure the allowBlobPublicAccess property for a new or existing storage account.

    The following example creates a storage account and explicitly sets the allowBlobPublicAccess property to false. Remember to replace the placeholder values in brackets with your own values:

    az storage account create \
        --name <storage-account> \
        --resource-group <resource-group> \
        --kind StorageV2 \
        --location <location> \
        --allow-blob-public-access false
    az storage account show \
        --name <storage-account> \
        --resource-group <resource-group> \
        --query allowBlobPublicAccess \
        --output tsv
    

    To allow or disallow public access for a storage account with a template, create a template with the AllowBlobPublicAccess property set to true or false. The following steps describe how to create a template in the Azure portal.

  • In the Azure portal, choose Create a resource.

  • In Search services and marketplace, type template deployment, and then press ENTER.

  • Choose Template deployment (deploy using custom templates), choose Create, and then choose Build your own template in the editor.

  • In the template editor, paste in the following JSON to create a new account and set the AllowBlobPublicAccess property to true or false. Remember to replace the placeholders in angle brackets with your own values.

    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "variables": { "storageAccountName": "[concat(uniqueString(subscription().subscriptionId), 'template')]" "resources": [ "name": "[variables('storageAccountName')]", "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2019-06-01", "location": "<location>", "properties": { "allowBlobPublicAccess": false "dependsOn": [], "sku": { "name": "Standard_GRS" "kind": "StorageV2", "tags": {}
  • Save the template.

  • Specify resource group parameter, then choose the Review + create button to deploy the template and create a storage account with the allowBlobPublicAccess property configured.

    Disallowing public access for a storage account does not affect any static websites hosted in that storage account. The $web container is always publicly accessible.

    After you update the public access setting for the storage account, it may take up to 30 seconds before the change is fully propagated.

    When a container is configured for anonymous public access, requests to read blobs in that container do not need to be authorized. However, any firewall rules that are configured for the storage account remain in effect and will block traffic inline with the configured ACLs.

    Allowing or disallowing blob public access requires version 2019-04-01 or later of the Azure Storage resource provider. For more information, see Azure Storage Resource Provider REST API.

    The examples in this section showed how to read the AllowBlobPublicAccess property for the storage account to determine if public access is currently allowed or disallowed. To learn more about how to verify that an account's public access setting is configured to prevent anonymous access, see Remediate anonymous public access for the storage account.

    Set the public access level for a container

    To grant anonymous users read access to a container and its blobs, first allow public access for the storage account, then set the container's public access level. If public access is denied for the storage account, you will not be able to configure public access for a container.

    When public access is allowed for a storage account, you can configure a container with the following permissions:

  • No public read access: The container and its blobs can be accessed only with an authorized request. This option is the default for all new containers.
  • Public read access for blobs only: Blobs within the container can be read by anonymous request, but container data is not available anonymously. Anonymous clients cannot enumerate the blobs within the container.
  • Public read access for container and its blobs: Container and blob data can be read by anonymous request, except for container permission settings and container metadata. Clients can enumerate blobs within the container by anonymous request, but cannot enumerate containers within the storage account.
  • You cannot change the public access level for an individual blob. Public access level is set only at the container level. You can set the container's public access level when you create the container, or you can update the setting on an existing container.

    Azure portal PowerShell Azure CLI Template

    To update the public access level for one or more existing containers in the Azure portal, follow these steps:

  • Navigate to your storage account overview in the Azure portal.

  • Under Data storage on the menu blade, select Blob containers.

  • Select the containers for which you want to set the public access level.

  • Use the Change access level button to display the public access settings.

  • Select the desired public access level from the Public access level dropdown and click the OK button to apply the change to the selected containers.

    To update the public access level for one or more containers with PowerShell, call the Set-AzStorageContainerAcl command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The Set Container ACL operation that sets the container's public access level does not support authorization with Azure AD. For more information, see Permissions for calling blob and queue data operations.

    The following example creates a container with public access disabled, and then updates the container's public access setting to permit anonymous access to the container and its blobs. Remember to replace the placeholder values in brackets with your own values:

    # Set variables.
    $rgName = "<resource-group>"
    $accountName = "<storage-account>"
    # Get context object.
    $storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
    $ctx = $storageAccount.Context
    # Create a new container with public access setting set to Off.
    $containerName = "<container>"
    New-AzStorageContainer -Name $containerName -Permission Off -Context $ctx
    # Read the container's public access setting.
    Get-AzStorageContainerAcl -Container $containerName -Context $ctx
    # Update the container's public access setting to Container.
    Set-AzStorageContainerAcl -Container $containerName -Permission Container -Context $ctx
    # Read the container's public access setting.
    Get-AzStorageContainerAcl -Container $containerName -Context $ctx
    

    When public access is disallowed for the storage account, a container's public access level cannot be set. If you attempt to set the container's public access level, Azure Storage returns error indicating that public access is not permitted on the storage account.

    To update the public access level for one or more containers with Azure CLI, call the az storage container set permission command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The Set Container ACL operation that sets the container's public access level does not support authorization with Azure AD. For more information, see Permissions for calling blob and queue data operations.

    The following example creates a container with public access disabled, and then updates the container's public access setting to permit anonymous access to the container and its blobs. Remember to replace the placeholder values in brackets with your own values:

    az storage container create \
        --name <container-name> \
        --account-name <account-name> \
        --resource-group <resource-group>
        --public-access off \
        --account-key <account-key> \
        --auth-mode key
    az storage container show-permission \
        --name <container-name> \
        --account-name <account-name> \
        --account-key <account-key> \
        --auth-mode key
    az storage container set-permission \
        --name <container-name> \
        --account-name <account-name> \
        --public-access container \
        --account-key <account-key> \
        --auth-mode key
    az storage container show-permission \
        --name <container-name> \
        --account-name <account-name> \
        --account-key <account-key> \
        --auth-mode key
    

    When public access is disallowed for the storage account, a container's public access level cannot be set. If you attempt to set the container's public access level, Azure Storage returns error indicating that public access is not permitted on the storage account.

    Check the public access setting for a set of containers

    It is possible to check which containers in one or more storage accounts are configured for public access by listing the containers and checking the public access setting. This approach is a practical option when a storage account does not contain a large number of containers, or when you are checking the setting across a small number of storage accounts. However, performance may suffer if you attempt to enumerate a large number of containers.

    The following example uses PowerShell to get the public access setting for all containers in a storage account. Remember to replace the placeholder values in brackets with your own values:

    $rgName = "<resource-group>"
    $accountName = "<storage-account>"
    $storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
    $ctx = $storageAccount.Context
    Get-AzStorageContainer -Context $ctx | Select Name, PublicAccess
    

    Feature support

    Support for this feature might be impacted by enabling Data Lake Storage Gen2, Network File System (NFS) 3.0 protocol, or the SSH File Transfer Protocol (SFTP).

    If you've enabled any of these capabilities, see Blob Storage feature support in Azure Storage accounts to assess support for this feature.

    Next steps

  • Prevent anonymous public read access to containers and blobs
  • Access public containers and blobs anonymously with .NET
  • Authorizing access to Azure Storage
  •