What if you have two blobs in an Azure Storage Account and a user is suppose to have access to only one of them. To illustrate this, see the image below, the user should only have access to blobs of project Coffee.

You may solve this by adding an extra Storage Container, move one of the files to the new container and create an authorization based on the containers. This is one option, but it may not fit well in your environment.

Another possibility is to add authorization based on attributes, called attribute-based access control (ABAC). Attribute-based access control (ABAC) builds on role-based access control (RBAC) by adding conditions to Azure role assignments.

In this article, I will set up attribute-based access control (ABAC) to an Azure Storage account.

Azure Storage Account

As far as I’ve seen, ABAC is only available for Azure Storage Accounts. So, we start by creating an Azure Storage Account with a Storage container. I created a Storage Account, named “rawstoragewv”, with a container “abac-example”.

For simplicity, I have uploaded two files to this container manually (as seen in the image below).

Then, select a file to open the details and scroll down to the Blob index tags. Here, I added a new key/value pair (Project = Coffee):

In a real world solution, most blobs will be produced/loaded through the process and not uploaded manually. Then it is important to add the tags to the blobs somewhere in your process.

For example, in many of my projects, I am using Azure IoT Hub with a routing endpoint of type Storage Account to store the incoming telemetry to a Storage Account. But you cannot add tags to a blob when using routing endpoints. In this case you should use an Azure Function with an IoT Hub trigger and save the telemetry in blobs with the additional tags.

When using the REST API, you can add tags to blobs by using x-ms-tags in the request header of Put Blob. Or if the blob is already in a container, you can use Set Blob Tags.

Access control

The next step is to add a Role assignment to a Subscription, Resource group or Resource. To do so, I open my subscription and select Access control. When you select Role assignments (see screenshot below) it will display a list of all role assignments created.

To create a new role assignment, select “Add” and then “Add role assignment”.

First, select a role to grant access to the resources. In this case, we want to add the Storage Blob Data reader role. To easily find the right group, you can use the search function.

Next, we can add members to the role assignment. In the screenshot below, I added myself (demo user) to the role assignment. But in most cases, you will select an Azure Active Directory group. Choose carefully, because you can’t change the user/group after creation. This is also a reason to select a group instead of a user, so that you can add users to the group instead of creating a new role assignment.

The conditions tab is the most important in this case. Here we need to specify the condition for the authorization on attributes. To add a new condition, select Add condition.

First, we need to add an action. When you select Add action, a list of all the available actions will appear. For the authorization of the blobs, we only need “Read a blob”.

Next, we need to build an expression:

Because we want to filter on the blob tags, we need to select:

  • Attribute source: Resource
  • Attribute: Blob index tags [Values in key]
  • Key: Project
  • Operator: StringEqualsIgnoreCase
  • Value: Coffee

You may even add multiple conditions, but in this case I only wanted this one. We can now create the role assignment.

Does it work?

To check if everything works as expected, we need to log in as the user we specified in the role assignment. Then, open the Storage Container where the two files are located.

Ensure that the authentication method is set to Azure AD User Account and not Access key.

Now try to open both blobs, we should expect an error message when opening the blob “Example-Telemetry.csv” because this one doesn’t have a project tag “Coffee”.

Just to be sure, we also open the blob “CoffeeMachineExample-Telemetry.csv” with the project tag “Coffee”. As you can see in the screenshot below, we are allowed to open this file.

Conclusion

Attribute-based access control (ABAC) is a powerful way to provide a more fine-grained access control. In this article, we authorized blobs in an Azure Storage Account based on a tag.

The disadvantage, however, is that the authorization on attributes is somewhat hidden. You must look in the role assignment overview and check role assignments on conditions.