Share via

R/W Access to single ADLS Gen2 Container

Dejan Sunderic 0 Reputation points
2025-03-04T18:53:28.9866667+00:00

Is it possible to grant access to a group of users to read/write into single container on ADLS Gen2 without granting read access to other containers on the same storage?

We need users to upload some .csv files to storage. We use that storage (other containers) for files that ETL is processing.

I thought that we can do that with ACL, but users are getting errors when trying to access container with their AAD accounts. Apparently, Control Pane (RBAC) access is needed (to read a list of containers). And the way to do that is to grant them Storage Blob Data Reader permission. But that is also granting them read access to other containers - and we want to avoid that.

I saw that shared access signature (SAS) is alternative, but Expiry date and time should be within 7 days of the current time (which is too short).

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,547 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Keshavulu Dasari 4,110 Reputation points Microsoft External Staff
    2025-03-04T19:19:55.2266667+00:00

    Hi Dejan Sunderic,

    Yes, it is possible to grant access to a specific container in ADLS Gen2 without granting access to other containers. I Suggest few approaches you can consider,

    You can use ACLs to set fine-grained permissions at the directory and file level, as you mentioned, users might still need some level of RBAC permissions to list containers. One workaround is to create a custom RBAC role that grants minimal permissions required to list containers without giving read access to the blobs

    While the default expiration for SAS tokens is short, you can configure a stored access policy on the container to extend the validity period of the SAS tokens. This way, you can create SAS tokens with longer expiration times,

    For Additional information, please refer the below document.
    https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

    User Delegation SAS This type of SAS is secured with Microsoft Entra credentials and can provide more secure and flexible access control. You can configure the expiration policy to allow longer validity periods

    Create a custom role that grants the necessary permissions to list containers without granting read access to the blobs. This can help you control access more precisely

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.   
    User's image        

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be glad to assist you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.