แก้ไข

แชร์ผ่าน


Actions and attributes for Azure role assignment conditions for Azure Blob Storage

This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage DataAction. For the list of Blob service operations that a specific permission or DataAction affects, see Permissions for Blob service operations.

To understand the role assignment condition format, see Azure role assignment condition format and syntax.

Important

Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request, resource, environment, and principal attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see Status of condition features in Azure Storage.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Suboperations

Multiple Storage service operations can be associated with a single permission or DataAction. However, each of these operations that are associated with the same permission might support different parameters. Suboperations enable you to differentiate between service operations that require the same permission but support a different set of attributes for conditions. Thus, by using a suboperation, you can specify one condition for access to a subset of operations that support a given parameter. Then, you can use another access condition for operations with the same action that doesn't support that parameter.

For example, the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action is required for over a dozen different service operations. Some of these operations can accept blob index tags as a request parameter, while others don't. For operations that accept blob index tags as a parameter, you can use blob index tags in a Request condition. However, if such a condition is defined on the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write action, all operations that don't accept tags as a request parameter can't evaluate this condition, and fails the authorization access check.

In this case, the optional suboperation Blob.Write.WithTagHeaders can be used to apply a condition to only those operations that support blob index tags as a request parameter.

Note

Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see Manage and find Azure Blob data with blob index tags.

Azure Blob Storage actions and suboperations

This section lists the supported Azure Blob Storage actions and suboperations you can target for conditions. They're summarized in the following table:

Display name DataAction Suboperation
Read operations
Find blobs by tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action n/a
List blobs Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Blob.List
Read a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read NOT Blob.List
Read blob index tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read n/a
Read content from a blob with tag conditions
(deprecated)
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Blob.Read.WithTagConditions
Write operations
Create a blob or snapshot, or append data Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action n/a
Delete a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete n/a
Delete a version of a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action n/a
Permanently delete a blob overriding soft-delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action n/a
Rename a file or a directory Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action n/a
Sets the access tier on a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Blob.Write.Tier
Write blob index tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write n/a
Write blob legal hold and immutability policy Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action n/a
Write to a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write n/a
Write to a blob with blob index tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Blob.Write.WithTagHeaders
Permissions operations
Change ownership of a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action n/a
Modify permissions of a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action n/a
HNS operations
All data operations for accounts with hierarchical namespace enabled Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action n/a

List blobs

Property Value
Display name List blobs
Description List blobs operation.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Suboperation Blob.List
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Request attributes Blob prefix
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
Example: Read or list blobs in named containers with a path

Read a blob

Property Value
Display name Read a blob
Description All blob read operations excluding list.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Suboperation NOT Blob.List
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope name
Request attributes Version ID
Snapshot
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
Example: Read blobs in named containers with a path

Read content from a blob with tag conditions

Important

The Read content from a blob with tag conditions suboperation has been deprecated. Although it is currently supported for compatibility with conditions implemented during the ABAC feature preview, Microsoft recommends using the Read a blob action instead.

When configuring ABAC conditions in the Azure portal, you might see DEPRECATED: Read content from a blob with tag conditions. Microsoft recommends removing the operation and replacing it with the Read a blob action.

If you are authoring your own condition where you want to restrict read access by tag conditions, please refer to Example: Read blobs with a blob index tag.

Read blob index tags

Property Value
Display name Read blob index tags
Description DataAction for reading blob index tags.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Suboperation n/a
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Blob index tags [Values in key]
Blob index tags [Keys]
Request attributes Version ID
Snapshot
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Learn more Manage and find Azure Blob data with blob index tags

Find blobs by tags

Property Value
Display name Find blobs by tags
Description DataAction for finding blobs by index tags.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action
Suboperation n/a
Resource attributes Account name
Is hierarchical namespace enabled
Request attributes
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now

Write to a blob

Property Value
Display name Write to a blob
Description DataAction for writing to blobs.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Suboperation n/a
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope name
Request attributes
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
Example: Read, write, or delete blobs in named containers

Sets the access tier on a blob

Property Value
Display name Sets the access tier on a blob
Description DataAction for writing to blobs.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Suboperation Blob.Write.Tier
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope name
Request attributes Version ID
Snapshot
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.Tier'})

Write to a blob with blob index tags

Property Value
Display name Write to a blob with blob index tags
Description REST operations: Put Blob, Put Block List, Copy Blob and Copy Blob From URL.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Suboperation Blob.Write.WithTagHeaders
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope name
Request attributes Blob index tags [Values in key]
Blob index tags [Keys]
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
Example: New blobs must include a blob index tag
Learn more Manage and find Azure Blob data with blob index tags

Create a blob or snapshot, or append data

Property Value
Display name Create a blob or snapshot, or append data
Description DataAction for creating blobs.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Suboperation n/a
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Encryption scope name
Request attributes
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
Example: Read, write, or delete blobs in named containers

Write blob index tags

Property Value
Display name Write blob index tags
Description DataAction for writing blob index tags.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Suboperation n/a
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Blob index tags [Values in key]
Blob index tags [Keys]
Request attributes Blob index tags [Values in key]
Blob index tags [Keys]
Version ID
Snapshot
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
Example: Existing blobs must have blob index tag keys
Learn more Manage and find Azure Blob data with blob index tags
Property Value
Display name Write Blob legal hold and immutability policy
Description DataAction for writing Blob legal hold and immutability policy.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
Suboperation n/a
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Request attributes
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now

Delete a blob

Property Value
Display name Delete a blob
Description DataAction for deleting blobs.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Suboperation n/a
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Request attributes Version ID
Snapshot
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
Example: Read, write, or delete blobs in named containers

Delete a version of a blob

Property Value
Display name Delete a version of a blob
Description DataAction for deleting a version of a blob.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action
Suboperation n/a
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Request attributes Version ID
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action'})
Example: Delete old blob versions

Permanently delete a blob overriding soft-delete

Property Value
Display name Permanently delete a blob overriding soft-delete
Description DataAction for permanently deleting a blob overriding soft-delete.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action
Suboperation n/a
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Request attributes Version ID
Snapshot
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now

Modify permissions of a blob

Property Value
Display name Modify permissions of a blob
Description DataAction for modifying permissions of a blob.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action
Suboperation n/a
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Request attributes
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now

Change ownership of a blob

Property Value
Display name Change ownership of a blob
Description DataAction for changing ownership of a blob.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action
Suboperation n/a
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Request attributes
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now

Rename a file or a directory

Property Value
Display name Rename a file or a directory
Description DataAction for renaming files or directories.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
Suboperation n/a
Resource attributes Account name
Is hierarchical namespace enabled
Container name
Blob path
Request attributes
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now

All data operations for accounts with hierarchical namespace enabled

Property Value
Display name All data operations for accounts with hierarchical namespace enabled
Description DataAction for all data operations on storage accounts with hierarchical namespace enabled.
If your role definition includes the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action action, you should target this action in your condition. Targeting this action ensures the condition will still work as expected if hierarchical namespace is enabled for a storage account.
DataAction Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action
Suboperation n/a
Resource attributes Account name
Is Current Version
Is hierarchical namespace enabled
Container name
Blob path
Request attributes
Principal attributes support True
Environment attributes Is private link
Private endpoint
Subnet
UTC now
Examples Example: Read, write, or delete blobs in named containers
Example: Read blobs in named containers with a path
Example: Read or list blobs in named containers with a path
Example: Write blobs in named containers with a path
Example: Read only current blob versions
Example: Read current blob versions and any blob snapshots
Example: Read only storage accounts with hierarchical namespace enabled
Learn more Azure Data Lake Storage hierarchical namespace

Azure Blob Storage attributes

This section lists the Azure Blob Storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.

Note

Attributes and values listed are considered case-insensitive, unless stated otherwise.

The following table summarizes the available attributes by source:

Attribute Source Display name Description
Environment
Is private link Whether access is over a private link
Private endpoint The private endpoint over which an object is accessed
Subnet The subnet over which an object is accessed
UTC now The current date and time in Coordinated Universal Time
Request
Blob index tags [Keys] Index tags on a blob resource (keys); available only for storage accounts where hierarchical namespace is not enabled
Blob index tags [Values in key] Index tags on a blob resource (values in key); available only for storage accounts where hierarchical namespace is not enabled
Blob prefix Allowed prefix of blobs to be listed
List blob include Information that can be included with listing operations, such as metadata, snapshots, or versions
Snapshot The Snapshot identifier for the Blob snapshot
Version ID The version ID of the versioned blob; available only for storage accounts where hierarchical namespace is not enabled
Resource
Account name The storage account name
Blob index tags [Keys] Index tags on a blob resource (keys)
Blob index tags [Values in key] Index tags on a blob resource (values in key)
Blob path Path of a virtual directory, blob, folder or file resource
Container name Name of a storage container or file system
Container metadata Metadata key/value pair associated with a container
Encryption scope name Name of the encryption scope used to encrypt data
Is current version Whether the resource is the current version of the blob
Is hierarchical namespace enabled Whether hierarchical namespace is enabled on the storage account

Account name

Property Value
Display name Account name
Description Name of a storage account.
Attribute Microsoft.Storage/storageAccounts:name
Attribute source Resource
Attribute type String
Examples @Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount'
Example: Read or write blobs in named storage account with specific encryption scope

Blob index tags [Keys]

Property Value
Display name Blob index tags [Keys]
Description Index tags on a blob resource.
Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check the key in blob index tags.
Available only for storage accounts where hierarchical namespace is not enabled.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&
Attribute source Resource
Request
Attribute type StringList
Is key case sensitive True
Hierarchical namespace support False
Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'}
Example: Existing blobs must have blob index tag keys
Learn more Manage and find Azure Blob data with blob index tags
Azure Data Lake Storage hierarchical namespace

Blob index tags [Values in key]

Property Value
Display name Blob index tags [Values in key]
Description Index tags on a blob resource.
Arbitrary user-defined key-value properties that you can store alongside a blob resource. Use when you want to check both the key (case-sensitive) and value in blob index tags.
Available only for storage accounts where hierarchical namespace is not enabled.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags
Attribute source Resource
Request
Attribute type String
Is key case sensitive True
Hierarchical namespace support False
Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:keyname<$key_case_sensitive$>
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'
Example: Read blobs with a blob index tag
Learn more Manage and find Azure Blob data with blob index tags
Azure Data Lake Storage hierarchical namespace

Blob path

Property Value
Display name Blob path
Description Path of a virtual directory, blob, folder or file resource.
Use when you want to check the blob name or folders in a blob path.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path
Attribute source Resource
Attribute type String
Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'
Example: Read blobs in named containers with a path

Note

When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.

Blob prefix

Property Value
Display name Blob prefix
Description Allowed prefix of blobs to be listed.
Path of a virtual directory or folder resource. Use when you want to check the folders in a blob path.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix
Attribute source Request
Attribute type String
Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'
Example: Read or list blobs in named containers with a path

Note

When specifying conditions for the Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix attribute, the values shouldn't include the container name or a preceding slash (/) character. Use the path characters without any URL encoding.

Container name

Property Value
Display name Container name
Description Name of a storage container or file system.
Use when you want to check the container name.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers:name
Attribute source Resource
Attribute type String
Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
Example: Read, write, or delete blobs in named containers

Container metadata

Property Value
Display name Container metadata
Description Metadata key/value pair associated with a container.
Use when you want to check specific metadata for a container. Currently in preview.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/metadata
Attribute source Resource
Attribute type String
Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue'
Example: Read blobs in a container with specific metadata
Example: Write or delete blobs in container with specific metadata

Encryption scope name

Property Value
Display name Encryption scope name
Description Name of the encryption scope used to encrypt data.
Attribute Microsoft.Storage/storageAccounts/encryptionScopes:name
Attribute source Resource
Attribute type String
Exists support True
Examples @Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name] ForAnyOfAnyValues:StringEquals {'validScope1', 'validScope2'}
Example: Read blobs with specific encryption scopes
Learn more Create and manage encryption scopes

Is Current Version

Property Value
Display name Is Current Version
Description Whether the resource is the current version of the blob, in contrast to a snapshot or a specific blob version.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion
Attribute source Resource
Attribute type Boolean
Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:isCurrentVersion] BoolEquals true
Example: Read only current blob versions
Example: Read current blob versions and a specific blob version

Is hierarchical namespace enabled

Property Value
Display name Is hierarchical namespace enabled
Description Whether hierarchical namespace is enabled on the storage account.
Applicable only at resource group scope or higher.
Attribute Microsoft.Storage/storageAccounts:isHnsEnabled
Attribute source Resource
Attribute type Boolean
Examples @Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true
Example: Read only storage accounts with hierarchical namespace enabled
Learn more Azure Data Lake Storage hierarchical namespace
Property Value
Display name Is private link
Description Whether access is over a private link.
Use to require access over any private link.
Attribute isPrivateLink
Attribute source Environment
Attribute type Boolean
Applies to For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source:

Copy Blob
Copy Blob From URL
Put Blob From URL
Put Block From URL
Append Block From URL
Put Page From URL

For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation
Examples @Environment[isPrivateLink] BoolEquals true
Example: Require private link access to read blobs with high sensitivity
Learn more Use private endpoints for Azure Storage

List blob include

Property Value
Display name List blob include
Description Information that can be included with a List Blobs operation, such as metadata, snapshots, or versions.
Use when you want to allow or restrict values for the include parameter when calling the List Blobs operation.
Currently in preview. Available only for storage accounts where hierarchical namespace is not enabled.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include
Attribute source Request
Attribute type String
Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAnyValues:StringEqualsIgnoreCase {'metadata', 'snapshots', 'versions'}
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAllValues:StringNotEquals {'metadata'}
Example: Allow list blob operation to include blob metadata, snapshots, or versions
Example: Restrict list blob operation to not include blob metadata

Private endpoint

Property Value
Display name Private endpoint
Description The private endpoint over which an object is accessed.
Use to restrict access over a specific private endpoint.
Available only for storage accounts in subscriptions that have at least one private endpoint configured.
Attribute Microsoft.Network/privateEndpoints
Attribute source Environment
Attribute type String
Applies to For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source:

Copy Blob
Copy Blob From URL
Put Blob From URL
Put Block From URL
Append Block From URL
Put Page From URL

For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation
Examples @Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/privateEndpoints/privateendpoint1'
Example: Allow read access to a container only from a specific private endpoint
Learn more Use private endpoints for Azure Storage

Snapshot

Property Value
Display name Snapshot
Description The Snapshot identifier for the Blob snapshot.
Available only for storage accounts where hierarchical namespace is not enabled and currently in preview for storage accounts where hierarchical namespace is enabled.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot
Attribute source Request
Attribute type DateTime
Exists support True
Hierarchical namespace support False
Examples Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot]
Example: Read current blob versions and any blob snapshots
Learn more Blob snapshots
Azure Data Lake Storage hierarchical namespace

Subnet

Property Value
Display name Subnet
Description The subnet over which an object is accessed.
Use to restrict access to a specific subnet.
Available only for storage accounts in subscriptions that have at least one virtual network subnet using service endpoints configured.
Attribute Microsoft.Network/virtualNetworks/subnets
Attribute source Environment
Attribute type String
Applies to For copy operations using the following REST operations, this attribute only applies to the destination storage account, and not the source:

Copy Blob
Copy Blob From URL
Put Blob From URL
Put Block From URL
Append Block From URL
Put Page From URL

For all other read, write, create, delete, and rename operations, it applies to the storage account that is the target of the operation
Examples @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/example-group/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default'
Example: Allow access to blobs in specific containers from a specific subnet
Learn more Subnets

UTC now

Property Value
Display name UTC now
Description The current date and time in Coordinated Universal Time.
Use to control access to objects for a specific date and time period.
Attribute UtcNow
Attribute source Environment
Attribute type DateTime
(Only operators DateTimeGreaterThan and DateTimeLessThan are supported for the UTC now attribute.)
Examples @Environment[UtcNow] DateTimeGreaterThan '2023-05-01T13:00:00.0Z'
Example: Allow read access to blobs after a specific date and time

Version ID

Property Value
Display name Version ID
Description The version ID of the versioned Blob.
Available only for storage accounts where hierarchical namespace is not enabled.
Attribute Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId
Attribute source Request
Attribute type DateTime
Exists support True
Hierarchical namespace support False
Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeEquals '2022-06-01T23:38:32.8883645Z'
Example: Read current blob versions and a specific blob version
Example: Read current blob versions and any blob snapshots
Learn more Azure Data Lake Storage hierarchical namespace

See also