Granting List-Only permissions for users in Azure Storage Account using ABAC

In this blog, we’ll explore how to configure list-only permissions for specific users in Azure Storage, allowing them to view the structure of files and directories without accessing or downloading their contents.

Granting list-only permissions to specific users for an Azure Storage container path allows them to list files and directories without reading or downloading their contents. While RBAC manages access at the container or account level, ABAC offers more granular control by leveraging attributes like resource metadata, user roles, or environmental factors, enabling customized access policies to meet specific requirements.

Disclaimer: Please test this solution before implementing it for your critical data.

Pre-Requisites:

1. Azure Storage GPV2 / ADLS Gen 2 Storage account
2. Make sure to have enough permissions(Microsoft.Authorization/roleAssignments/write permissions) to assign roles to users , such as Owner or User Access Administrator

Note: If you want to grant list-only permission to a particular container, ensure that the permission is applied specifically to that container. This approach limits the scope of access to just the intended container and enhances security by minimizing unnecessary permissions.

However, in this example, I am demonstrating how to implement this role for the entire storage account. This setup allows users to list files and directories across all containers within the storage account, which might be suitable for scenarios requiring broader access.

Action:

You can follow the steps below to create a Storage Blob Data Reader role with specific conditions using the Azure portal:

Step 1:

• Sign-in to the Azure portal with your credentials.
• Go to the storage account where you could like the role to be implemented/ scoped to.
• Select Access Control (IAM)->Add-> Add role assignment:

Step2:

• On the Roles tab, select (or search for) Storage Blob Data Reader and click Next.

• On the Members tab, select User, group, or service principal to assign the selected role to one or more Azure AD users, groups, or service principals.
• Click Select members.

• Find and select the users, groups, or service principals.
• You can type in the Select box to search the directory for display name or email address.
• Please select the user and continue with Step 3 to configure conditions.

Step 3:

The Storage Blob Data Reader provides access to list, read/download the blobs. However, we would need to add appropriate conditions to restrict the read/download operations.

• On the Conditions tab, click Add condition. The Add role assignment condition page appears:

•  In the Add action section, click Add action.
• The Select an action pane appears. This pane is a filtered list of data actions based on the role assignment that will be the target of your condition. Check the box next to Read a blob, then click Select:

Step 4:

Add the build expression in such a way that the below expression evaluates to false, so that the result entirely depends on the above condition.

• Save
• On the Review + assign tab, click Review + assign to assign the role with the condition.
• After a few moments, the security principal is assigned the role.

Please Note:

Along with the above permission, I have given the user Reader permission at the storage account level. You could give the Reader permission at the resource level/resource group level/subscription level too.

We mainly have Management Plane and Data Plane while providing permissions to the user.

• The Management plane consists of operation related to storage account such as getting the list of storage accounts in a subscription, retrieve storage account keys or regenerate the storage account keys, etc.
• The Data plane access refers to the access to read, write or delete data present inside the containers.
• For more info, please refer to: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#management-and-dat...
• To understand about the Built-in roles available for Azure resources, please refer to:  https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Hence, it is important that you give minimum of ‘Reader’ role at the Management plane level to test it out in Azure Portal.

Step 5: 

Test the condition (Ensure that the authentication method is set to Azure AD User Account and not Access key)

• User can list the blobs inside the container.

• Download/Read blob failed.

Related documentations:

1. What is Azure attribute-based access control (Azure ABAC)? | Microsoft Learn
2. Azure built-in roles - Azure RBAC | Microsoft Learn
3. Tutorial: Add a role assignment condition to restrict access to blobs using the Azure portal - Azure ABAC - Azure Storage | Microsoft Learn
4. Add or edit Azure role assignment conditions using the Azure portal - Azure ABAC | Microsoft Learn