Configure anonymous public read access for containers and blobs

Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request.

Warning

When a container is configured for public access, any client can read data in that container. Public access presents a potential security risk, so if your scenario does not require it, Microsoft recommends that you disallow it for the storage account. For more information, see Prevent anonymous public read access to containers and blobs.

This article describes how to configure anonymous public read access for a container and its blobs. For information about how to access blob data anonymously from a client application, see Access public containers and blobs anonymously with .NET.

About anonymous public read access

Public access to your data is always prohibited by default. There are two separate settings that affect public access:

  1. Allow public access for the storage account. By default, a storage account allows a user with the appropriate permissions to enable public access to a container. Blob data is not available for public access unless the user takes the additional step to explicitly configure the container's public access setting.
  2. Configure the container's public access setting. By default, a container's public access setting is disabled, meaning that authorization is required for every request to the container or its data. A user with the appropriate permissions can modify a container's public access setting to enable anonymous access only if anonymous access is allowed for the storage account.

The following table summarizes how both settings together affect public access for a container.

Public access setting Public access is disabled for a container (default setting) Public access for a container is set to Container Public access a container is set to Blob
Public access is disallowed for the storage account No public access to any container in the storage account. No public access to any container in the storage account. The storage account setting overrides the container setting. No public access to any container in the storage account. The storage account setting overrides the container setting.
Public access is allowed for the storage account (default setting) No public access to this container (default configuration). Public access is permitted to this container and its blobs. Public access is permitted to blobs in this container, but not to the container itself.

Allow or disallow public read access for a storage account

By default, a storage account is configured to allow a user with the appropriate permissions to enable public access to a container. When public access is allowed, a user with the appropriate permissions can modify a container's public access setting to enable anonymous public access to the data in that container. Blob data is never available for public access unless the user takes the additional step to explicitly configure the container's public access setting.

Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. Regardless of the setting on the storage account, your data will never be available for public access unless a user with appropriate permissions takes this additional step to enable public access on the container.

Disallowing public access for the storage account prevents anonymous access to all containers and blobs in that account. When public access is disallowed for the account, it is not possible to configure the public access setting for a container to permit anonymous access. For improved security, Microsoft recommends that you disallow public access for your storage accounts unless your scenario requires that users access blob resources anonymously.

Important

Disallowing public access for a storage account overrides the public access settings for all containers in that storage account. When public access is disallowed for the storage account, any future anonymous requests to that account will fail. Before changing this setting, be sure to understand the impact on client applications that may be accessing data in your storage account anonymously. For more information, see Prevent anonymous public read access to containers and blobs.

To allow or disallow public access for a storage account, configure the account's AllowBlobPublicAccess property. This property is available for all storage accounts that are created with the Azure Resource Manager deployment model. For more information, see Storage account overview.

The AllowBlobPublicAccess property is not set for a storage account by default and does not return a value until you explicitly set it. The storage account permits public access when the property value is either null or true.

To allow or disallow public access for a storage account in the Azure portal, follow these steps:

  1. Navigate to your storage account in the Azure portal.

  2. Locate the Configuration setting under Settings.

  3. Set Blob public access to Enabled or Disabled.

    Screenshot showing how to allow or disallow blob public access for account

Note

Disallowing public access for a storage account does not affect any static websites hosted in that storage account. The $web container is always publicly accessible.

After you update the public access setting for the storage account, it may take up to 30 seconds before the change is fully propagated.

Allowing or disallowing blob public access requires version 2019-04-01 or later of the Azure Storage resource provider. For more information, see Azure Storage Resource Provider REST API.

The examples in this section showed how to read the AllowBlobPublicAccess property for the storage account to determine if public access is currently allowed or disallowed. To learn more about how to verify that an account's public access setting is configured to prevent anonymous access, see Remediate anonymous public access.

Set the public access level for a container

To grant anonymous users read access to a container and its blobs, first allow public access for the storage account, then set the container's public access level. If public access is denied for the storage account, you will not be able to configure public access for a container.

When public access is allowed for a storage account, you can configure a container with the following permissions:

  • No public read access: The container and its blobs can be accessed only with an authorized request. This option is the default for all new containers.
  • Public read access for blobs only: Blobs within the container can be read by anonymous request, but container data is not available anonymously. Anonymous clients cannot enumerate the blobs within the container.
  • Public read access for container and its blobs: Container and blob data can be read by anonymous request, except for container permission settings and container metadata. Clients can enumerate blobs within the container by anonymous request, but cannot enumerate containers within the storage account.

You cannot change the public access level for an individual blob. Public access level is set only at the container level. You can set the container's public access level when you create the container, or you can update the setting on an existing container.

To update the public access level for one or more existing containers in the Azure portal, follow these steps:

  1. Navigate to your storage account overview in the Azure portal.

  2. Under Blob service on the menu blade, select Containers.

  3. Select the containers for which you want to set the public access level.

  4. Use the Change access level button to display the public access settings.

  5. Select the desired public access level from the Public access level dropdown and click the OK button to apply the change to the selected containers.

    Screenshot showing how to set public access level in the portal

When public access is disallowed for the storage account, a container's public access level cannot be set. If you attempt to set the container's public access level, you'll see that the setting is disabled because public access is disallowed for the account.

Screenshot showing that setting container public access level is blocked when public access disallowed

Check the public access setting for a set of containers

It is possible to check which containers in one or more storage accounts are configured for public access by listing the containers and checking the public access setting. This approach is a practical option when a storage account does not contain a large number of containers, or when you are checking the setting across a small number of storage accounts. However, performance may suffer if you attempt to enumerate a large number of containers.

The following example uses PowerShell to get the public access setting for all containers in a storage account. Remember to replace the placeholder values in brackets with your own values:

$rgName = "<resource-group>"
$accountName = "<storage-account>"

$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.Context

Get-AzStorageContainer -Context $ctx | Select Name, PublicAccess

Next steps