Public access is not permitted on this storage account
Published Jun 07 2023 03:39 PM 47.1K Views
Microsoft

Have you ever received an error message saying that public access is not permitted on this storage account while trying to access a blob?

 

c4rlosmarin_0-1685564206101.png

Just in case you are really needing to allow public access to your Storage Account, I will show you how to set this configuration, but before doing that, please note the following:

 

c4rlosmarin_1-1685566185232.png

 

Disallowing public access for the storage account overrides the public access settings for all containers in that storage account, preventing anonymous access to blob data in that account. When public access is disallowed for the account, it is not possible to configure the public access setting for a container to permit anonymous access, and any future anonymous requests to that account will fail.

 

To set the AllowBlobPublicAccess property for the storage account, a user must have permissions to create and manage storage accounts. Azure role-based access control (Azure RBAC) roles that provide these permissions include the Microsoft.Storage/storageAccounts/write action. Built-in roles with this action include:

 

  1. The Azure Resource Manager Owner role
  2. The Azure Resource Manager Contributor role
  3. The Storage Account Contributor role

Once you have an account with such permissions, you can work your way through any of the following ways to enable the "Blob public access" setting on your Storage Account:

 

Azure Portal:

c4rlosmarin_1-1685572300052.png

 

PowerShell:

c4rlosmarin_1-1685573193769.png

 

AZ CLI:

c4rlosmarin_0-1685572851371.png

 

Now, even though you have the ability to enable the Storage Account "allowPublicAccess" setting, we still recommend using the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. To that end, you can also set the public access setting at the container and blob levels:

 

c4rlosmarin_2-1685638173925.png

 

The following table shows the effect that the combination of both settings for a container:

 

c4rlosmarin_0-1685572276905.png

 

When Blob Storage receives an anonymous request, that request will succeed if all of the following conditions are true:

  1. Anonymous public access is allowed for the storage account.
  2. The container is configured to allow anonymous public access.
  3. The request is for read access.

If any of those conditions are not true, then the request will fail. The response code on failure depends on whether the anonymous request was made with a version of the service that supports the bearer challenge. The bearer challenge is supported with service versions 2019-12-12 and newer:

  1. If the anonymous request was made with a service version that supports the bearer challenge, then the service returns error code 401 (Unauthorized).
  2. If the anonymous request was made with a service version that does not support the bearer challenge and anonymous public access is disallowed for the storage account, then the service returns error code 409 (Conflict).
  3. If the anonymous request was made with a service version that does not support the bearer challenge and anonymous public access is allowed for the storage account, then the service returns error code 404 (Not Found).

 

I'll now use Postman to show the above scenarios:

Successful anonymous request:

c4rlosmarin_0-1685636205338.png

 

Failed anonymous request (API version 2023-01-03):

c4rlosmarin_4-1685636692287.png

 

Failed anonymous request (API version 2009-09-19)

c4rlosmarin_2-1685636645789.png

 

Failed anonymous request (API version 2009-09-19, public access allowed at the Storage Account level and access level set to "Private" at the container level):

c4rlosmarin_5-1685636937878.png

 

As you can see, you can get different responses for the same scenario and just based on the API version that was used to send the request. Hopefully this article helps on identifying the root cause for the error message you may get and gives you some helpful information on how to approach your specific scenario.

 

In the meantime, independently on what you are planning to do to meet your business needs, always remember to use the principle of least privilege to lower the potential for security risks.

 

References
=======

Configure anonymous public read access for containers and blobs

https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure

Set-AzStorageAccount

https://learn.microsoft.com/en-us/powershell/module/az.storage/set-azstorageaccount

az storage account update

https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account...

Co-Authors
Version history
Last update:
‎Jun 07 2023 03:38 PM
Updated by: