Disclaimer you need to evaluate if you need or not to enable this new feature, anonymous read access on Azure Blob Storage, as any client will be able to read the data stored on the corresponding Blob Storage.
As you know, access to data stored on Azure Blob Storage is managed either by implementing Azure AD or Shared Keys authorizations.
With this new capability you can enable an anonymous access if you need to share the data stored on the Blob Storage to anybody without having to share the access keys because you may not know upfront who will access it; similar to publishing on a public website.
For example, this can be useful when you use Azure Blob storage to store public documents being accessible through a link on your public website.
Anonymous access for Blob Storage
To enable this new capability, logon to your Azure portal (https://portal.azure.com/) and search for Storage account (or the name of the existing storage account you want to configure)
Then access the Configuration blade, available under the Settings section
And turn on (or off) the Blob public access
You can also use Azure Cli using the below commands
storage_account_id=$(az resource show –name <name of the storage account> –resource-group <resource group hosting the storage account> –resource-type Microsoft.Storage/storageAccounts –query id –output tsv)
az resource update –ids $storage_account_id –set properties.allowBlobPublicAccess=<true or false depending if you want to allow/disallow the anonymous access>
Anonymous access for Blob Container
Similar to the above anonymous access for Blob Storage, logon to your Azure portal (https://portal.azure.com/) and search for Storage account (or the name of the existing storage account you want to configure)
Then access the Containers configuration blade under the Blob service section
Then select the container(s) you want to enable the anonymous access and open the Change access level to choose the corresponding access level (anonymous for blob only or anonymous access for containers and blob)
You can also use Azure Cli using the below commands
az storage container set-permission –name <container-name> –account-name <account-name> –public-access <container or blob> –account-key <account-key> –auth-mode key
Check/Review if anonymous access is enabled
You can check/review if the anonymous access is enabled by using either the below Azure Cli commands or metrics from the portal
$rgName = <resource group hosting the storage account>
$accountName = <name of the storage account>$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.ContextGet-AzStorageContainer -Context $ctx | Select Name, PublicAccess
Using the metrics blade from the portal, logon to your Azure portal (https://portal.azure.com/) and search for Storage account (or the name of the existing storage account you want to configure)
Then access the Metrics blade under the Monitoring section
Select the following filters for your metric
- Metric Namespace: blob
- Metric: Transactions
- Aggregation: Sum
Then add a filter for authentication with the operator set to = (equal sign) and value set to Anonymous