0
0
Azurecloud~5 mins

Blob containers and access levels in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Blob containers store files in the cloud. Access levels control who can see or change these files. Setting the right access level keeps your data safe or open as needed.
When you want to share images publicly on a website without requiring login.
When you need to keep backup files private and only accessible by your app.
When you want to allow a team to upload and download files securely.
When you want to control if files can be listed or only accessed directly.
When you want to quickly change who can see your stored files without moving them.
Config File - container-policy.json
container-policy.json
{
  "SignedIdentifier": {
    "Id": "readpolicy",
    "AccessPolicy": {
      "Start": "2024-01-01T00:00:00Z",
      "Expiry": "2030-01-01T00:00:00Z",
      "Permission": "r"
    }
  }
}

This JSON defines a shared access policy named 'readpolicy' that allows read ('r') permission starting from January 1, 2024, until January 1, 2030. This policy can be applied to a blob container to control access.

Commands
Create a blob container named 'my-container' in the storage account 'mystorageaccount' with public read access to blobs only. This means anyone can read blobs but cannot list all blobs.
Terminal
az storage container create --name my-container --account-name mystorageaccount --public-access blob
Expected OutputExpected
{ "created": true }
--name - Specifies the container name
--account-name - Specifies the storage account name
--public-access - Sets the access level for the container
Show details of the container 'my-container' to verify its properties and access level.
Terminal
az storage container show --name my-container --account-name mystorageaccount
Expected OutputExpected
{ "name": "my-container", "publicAccess": "blob", "lastModified": "2024-04-27T12:00:00Z", "etag": "0x8D123456789ABC" }
--name - Specifies the container name
--account-name - Specifies the storage account name
Change the container 'my-container' access level to private, so no public read or list access is allowed.
Terminal
az storage container set-permission --name my-container --account-name mystorageaccount --public-access off
Expected OutputExpected
No output (command runs silently)
--public-access - Sets the access level; 'off' means private
Verify the container 'my-container' access level is now private.
Terminal
az storage container show --name my-container --account-name mystorageaccount
Expected OutputExpected
{ "name": "my-container", "publicAccess": null, "lastModified": "2024-04-27T12:05:00Z", "etag": "0x8D123456789DEF" }
--name - Specifies the container name
--account-name - Specifies the storage account name
Key Concept

If you remember nothing else from this pattern, remember: setting the right access level on a blob container controls who can read or list your files, protecting your data or sharing it safely.

Common Mistakes
Setting public access to 'container' when only blob-level access is needed
This allows anyone to list all blobs in the container, which may expose sensitive file names.
Use 'blob' access level to allow public read of blobs without listing the container.
Forgetting to specify the storage account name in commands
Commands fail because Azure CLI does not know which storage account to use.
Always include --account-name with the correct storage account.
Assuming private containers can be accessed publicly without a shared access signature
Private containers block all public access, so files cannot be read without proper authorization.
Use shared access signatures or change access level to allow public read if needed.
Summary
Create a blob container with az storage container create and set its public access level.
Check the container's access level with az storage container show to confirm settings.
Change access level to private with az storage container set-permission to restrict access.
Verify changes by showing container properties again.