Make all Azure storage blobs publicly accessible

December 25th 2020 Azure PowerShell

To make blobs in Azure storage publicly accessible, in addition to the account level setting each container also must have its access level set accordingly. My approach to copying content between accounts didn't preserve this property. This meant I had to find a way to set it efficiently for all containers in the account.

My first attempt was to use the Containers list of the storage account in Azure portal.

Containers view for a storage account in Azure portal

It quickly turned out that the user interface wasn't made for massive operations on containers. For multiple reasons:

I couldn't find a way to select all containers in the account, not even all containers on the currently shown page. There is multi-select functionality but each container must be selected individually.
To list all containers, they need to be loaded incrementally in small batches by clicking Load more at the bottom of the list.
Even if you select multiple containers and execute the Change access level command on them, it will fail because of throttling:

Failed to change access level for 1 out of 11 container(s): The request is being throttled as the limit has been reached for operation type - Write_ObservationWindow_00:00:01. For more information, see - https://aka.ms/srpthrottlinglimits

The Azure Storage Explorer interface is even less suitable for this kind of work. The access level can only be changed one container at a time by using a command from the context menu.

Setting container public access in Azure Storage Explorer

A script remained the only reasonable choice for achieving my goal.

I already had to the PowerShell module installed so I only had to connect to the correct Azure account (more details in my previous blog post):

Connect-AzAccount -Tenant $tenantId -Subscription $subscriptionId

All that was left, was to iterate over all the containers in the selected storage account and allow public access for each one:

$resGroup = "my-resource-group"
$accountName = "my-storage-account"

$storageAccount = Get-AzStorageAccount -ResourceGroupName $resGroup -Name $accountName
$ctx = $storageAccount.Context
$containers = Get-AzStorageContainer -Context $ctx
foreach ($c in $containers) {
    Set-AzStorageContainerAcl -Container $c.Name -Permission Container -Context $ctx
}

The command Set-AzStorageContainerAcl observes the throttling limits. Therefore, the script will take a while but it won't fail.

Azure has great support for managing resources programmatically. It often makes sense to take advantage of it even in use cases where your first impulse might be to use an interactive tool. Setting permissions (or other properties) on blob containers is one such use case.

Get notified when a new blog post is published (usually every Friday):

Subscribe to the RSS feed
Follow me on X
Follow me on Mastodon

If you're looking for online one-on-one mentorship on a related topic, you can find me on Codementor.

If you need a team of experienced software engineers to help you with a project, contact us at Razum.

Copyright

Damir's Corner.