Manage anonymous read access to containers and blobs

You can enable anonymous, public read access to a container and its blobs in Azure Blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature (SAS).

Public read access is best for scenarios where you want certain blobs to always be available for anonymous read access. For more fine-grained control, you can create a shared access signature. Shared access signatures enable you to provide restricted access using different permissions, for a specific time period. For more information about creating shared access signatures, see Using shared access signatures (SAS) in Azure Storage.

Grant anonymous users permissions to containers and blobs

By default, a container and any blobs within it may be accessed only by a user that has been given appropriate permissions. To grant anonymous users read access to a container and its blobs, you can set the container public access level. When you grant public access to a container, then anonymous users can read blobs within a publicly accessible container without authorizing the request.

You can configure a container with the following permissions:

  • No public read access: The container and its blobs can be accessed only by the storage account owner. This is the default for all new containers.
  • Public read access for blobs only: Blobs within the container can be read by anonymous request, but container data is not available. Anonymous clients cannot enumerate the blobs within the container.
  • Public read access for container and its blobs: All container and blob data can be read by anonymous request. Clients can enumerate blobs within the container by anonymous request, but cannot enumerate containers within the storage account.

Set container public access level in the Azure portal

From the Azure portal, you can update the public access level for one or more containers:

  1. Navigate to your storage account overview in the Azure portal.
  2. Under Blob service on the menu blade, select Blobs.
  3. Select the containers for which you want to set the public access level.
  4. Use the Change access level button to display the public access settings.
  5. Select the desired public access level from the Public access level dropdown and click the OK button to apply the change to the selected containers.

The following screenshot shows how to change the public access level for the selected containers.

Screenshot showing how to set public access level in the portal


You cannot change the public access level for an individual blob. Public access level is set only at the container level.

Set container public access level with .NET

To set permissions for a container using the Azure Storage client library for .NET, first retrieve the container's existing permissions by calling one of the following methods:

Next, set the PublicAccess property on the BlobContainerPermissions object that is returned by the GetPermissions method.

Finally, call one of the following methods to update the container's permissions:

The following example sets the container's permissions to full public read access. To set permissions to public read access for blobs only, set the PublicAccess property to BlobContainerPublicAccessType.Blob. To remove all permissions for anonymous users, set the property to BlobContainerPublicAccessType.Off.

private static async Task SetPublicContainerPermissions(CloudBlobContainer container)
    BlobContainerPermissions permissions = await container.GetPermissionsAsync();
    permissions.PublicAccess = BlobContainerPublicAccessType.Container;
    await container.SetPermissionsAsync(permissions);

    Console.WriteLine("Container {0} - permissions set to {1}", container.Name, permissions.PublicAccess);

Access containers and blobs anonymously

A client that accesses containers and blobs anonymously can use constructors that do not require credentials. The following examples show a few different ways to reference containers and blobs anonymously.

Create an anonymous client object

You can create a new service client object for anonymous access by providing the Blob storage endpoint for the account. However, you must also know the name of a container in that account that's available for anonymous access.

public static void CreateAnonymousBlobClient()
    // Create the client object using the Blob storage endpoint for your account.
    CloudBlobClient blobClient = new CloudBlobClient(
        new Uri(@""));

    // Get a reference to a container that's available for anonymous access.
    CloudBlobContainer container = blobClient.GetContainerReference("sample-container");

    // Read the container's properties. 
    // Note this is only possible when the container supports full public read access.

Reference a container anonymously

If you have the URL to a container that is anonymously available, you can use it to reference the container directly.

public static void ListBlobsAnonymously()
    // Get a reference to a container that's available for anonymous access.
    CloudBlobContainer container = new CloudBlobContainer(
        new Uri(@""));

    // List blobs in the container.
    // Note this is only possible when the container supports full public read access.
    foreach (IListBlobItem blobItem in container.ListBlobs())

Reference a blob anonymously

If you have the URL to a blob that is available for anonymous access, you can reference the blob directly using that URL:

public static void DownloadBlobAnonymously()
    CloudBlockBlob blob = new CloudBlockBlob(
        new Uri(@""));
    blob.DownloadToFile(@"C:\Temp\logfile.txt", FileMode.Create);

Next steps