How to create a custom role in Azure, so that another user is able to only view the list of files in a blob container but not its contents(RBAC)

Question

How to create a custom role in Azure using Access Control(IAM), so that another user is able to view the list of files in a blob container but not its contents. Also, the user should not be able to make any changes.

Does this answer your question? [Azure Storage restrict access one container only](https://stackoverflow.com/questions/65185000/azure-storage-restrict-access-one-container-only) — Sauron, Apr 27 '22 at 18:07

score 1 · Accepted Answer · answered Jun 12 '20 at 10:04

How to create a custom role in Azure using Access Control(IAM), so that another user is able to view the list of files in a blob container but not its contents. Also, the user should not be able to make any changes.

I don't think it is possible to do so with RBAC roles.

From this link, both List Blobs and Get Blob operation require Microsoft.Storage/storageAccounts/blobServices/containers/read (scoped to the blob container) permission thus if a user is in a role that has this permission, then that user will be able to perform both operations.

However you can achieve this using Shared Access Signature (SAS). If you create a SAS on a blob container with just list permissions, using that SAS URL a user will only be able to list blobs in a blob container and nothing else.

How to create a custom role in Azure, so that another user is able to only view the list of files in a blob container but not its contents(RBAC)

1 Answers1