Reputation: 766
Can you set public / private read access for azure blobs in the same container?
The Azure documentation says that storage blob containers can be made with public or private read access (see here). This says that public access can be set to 'Container' or 'Blob', and explains the differences in the table.
However, it isn't clear if, having set the container with Blob level public access:
container.CreateIfNotExists(Azure.Storage.Blobs.Models.PublicAccessType.Blob);
This implies that the public read access is set on a blob by blob basis, and if so, how to set it up.
However, I am not sure this is true? I have seen various other posts about copying blobs around between different public/private containers, which somewhat backs up my thinking. The client creation doesnt appear to have a public/private setting:
BlobClient blobClient = container.GetBlobClient(filename);
... and using the above coding, then all blobs created have public access.
My problem is that I need to allow users to change the state of uploaded images/videos to public or private. I am wondering if there is a less cludgy way than moving the blobs around between private and public containers..?
Upvotes: 1
Views: 2037
Answers (2)
Reputation: 1133
Your right in your assumptions, the access level is defined on the container.
To workaround your issue, I would suggest granting access to all blob's using Shared Access Signatures. That way your application logic can control access, but all downloads still happen directly from blob storage.
The correct way to do this would be proxy all request via your application logic before redirecting the user to an blob url including the shared access signature. That way you can revoke a link later.
An example flow would then look like:
- User access https://example.com/images/myimage.png
- Application logic determines if "images/myimage.png" should allow anonymous access or if the user should be redirect to login
- If access is allowed, the application finds the correct blob in blob storage, and generates an SAS signature
- The user is then redirect to "https://example.blob.core.windows.net/images/myimage.png?sastokenstuffhere
Upvotes: 1
Reputation: 58723
Public access is a container level setting. There are two options for public access: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#set-the-public-access-level-for-a-container.
- Public read access for blobs only (Blob): Anonymous requests can get blobs by their full URL (caller must know the container and blob name)
- Public read access for container and its blobs (Container): Anonymous requests can get blob list for the container (caller must only know container name)
So I would say that yes, you either have to move them between containers or handle the authorization on your side.
Upvotes: 2
Related Questions
- Azure blob storage and container permissions
- is it possible to have a public blob in an a private azure storage container
- Upload blob to Azure and give public read access C#
- How can you copy a blob in a container with public access set to 'Private'?
- Assign Azure BLOB Container Access to Users
- Azure blob Private/Container level access issues
- Blob storage, c# private container with some files public
- Azure Blob Container Granting Read only Access through Shared Access Signature Access
- Azure blob storage: Shared access signature for multiple containers?
- Azure blob Container can still be accessed directly, even after being set to private