Understanding Container Access Levels
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 52 minutes
All right, Welcome back. This is the first lesson. A module three where we're going to start talking about how we can secure our storage accounts. And our first lesson here is understanding container access levels.
Our objectives include a quick review of container concepts.
We're going to understand our different access levels available
and, of course, jump out to the azure portal and take a look at a demo of how we can change these and the effect they have on our containers.
So first, a quick containers review remember, our hierarchy is we have a storage account at the top and inside a storage accounts we create containers would you can think of as a top level folder in a file system.
And inside the container, we store our individual blobs or files that make up the container.
Remember, containers just organized are blobs together, taking a look at our diagram on the right. From our previous lesson, we have two containers, pictures and movies, and inside each of them we have blob objects stored under each one. Storage accounts can have an unlimited number of containers, and inside those containers, we can have an unlimited number of blobs
up to the storage capacity of the storage account.
So enough of the review there. Let's talk a little bit about our access levels that weaken set on our containers.
1st 1 we have is private, which means no anonymous access,
and that's pretty straightforward. This just means no one's gonna be able to access it anonymously over the Internet. So this is the so Unless you're exposing these containers and blobs to the Internet, most likely you'll want to select the private access level.
Our next access level is blub, which means you have anonymous read access for only the blobs inside the container. This means the blobs within the container can be read by an anonymous request, but information or data about the container itself is not available. Thes anonymous clients and requests cannot enumerates the other blobs within the container.
This means they have the your L for the individual blob object inside the container, but they're not gonna be able to list or view other blob objects within the container.
So if you don't want someone being able to numerator all the other objects and you want to just give access to that specific blob object. This would be the access level you'd want to use. Our third and final access level is container, which this is anonymous. Read access for the container and the blobs.
This means all the container and blob data can be read by the anonymous request
and clients or those anonymous requests can enumerate the blobs within the container, but they're not gonna be able to see the other containers inside the storage account. This is why I brought up the hierarchy in our review of how things are laid out. So this means a client with that anonymous request can few other blobs and enumerate them within that container.
So if you don't mind
the client being all the view, other blogged objects in the container, this would be the access level you'd want to select.
That does it for the concepts. Let's jump out to the airport and take a look at the demo where we're going to change our access levels and view the results on side of our containers and gloves. And then we're gonna look at Microsoft docks and view some code for how you would access containers anonymously
back in the azure portal Insider J B T 2020 storage account. Let's go ahead and click on containers and go check out our containers. We have
you'll notice. Vacation pics is currently set to the blob public access level here on the right, so let's go into it.
And again, I'm gonna select the first blob object here who will click the three dots here and bring up this context menu. Select Properties.
Let's grab this year L for this blob object.
Let's go open a new tab and access it
and were able to access it right now. So remember the access blob level allows anonymous request to via the objects.
So let's go back and select vacation pics to go back into our container here. When a ghost like change access level
and our public access level here, let's switch it over to private, which means no anonymous access. Let's go and click on OK to save this change.
Let's go back to our tab here with our picture will refresh,
and we're going to get an air just saying that this object doesn't exist and we can't access it, which is exactly what we're looking for. We changed it to private no anonymous access, so we can't access the object anymore.
We head back over to our storage account. Let's go back into the vacation pics container.
Let's change our access level again. We'll switch it back to Blob.
Let's go verify. We can access our picture again
and there we have it. So this change is pretty instantaneous and we now have anonymous access again to read this blob object
back to the storage account. I'm going to change the access level again. Let's switch it over to container. Now remember, container should allow us to view the other blob. Objects inside the container itself were supposed to be able to enumerate him, but I want to show you exactly how this works. Let's go ahead and click on OK, to save our change here to container access level.
Let's go back to our blob object here, and I'm going to just take off the foul name here, see if I can access the root of this vacation pics container
and you can see we get an error because you're not actually supposed able to access it through a Web browser like this. You're supposed to use a more programmatic way.
Let's switch over to this Microsoft Docks article here and take a look at what this code would look like.
So first, as we scroll through, just talks about her excess levels, which we've already discussed in this lesson.
But get down here. We can look at setting container public access level with DOT net, and we can use the Azure Storage Client library for .net insider application.
So first we can use it to set our access level. And down here, the bottom is actually has some code examples of how we can access the containers and blobs anonymously.
First, we create anonymous client object here will need the euro of the storage account, blob dot core dot windows dot net and then actually specify the container we want to access. In this case, it would be vacation pics in our example we've been looking at.
And then finally, we can also reference the container anonymously and be able to look at individual objects inside of it. Or you can actually reference a specific blob anonymously with the foul name and even have code to be able to download it.
So I just wanted to show you that you're not actually gonna be able to view the objects inside the container using a Web browser, it's more available there for if you have an application that needs to enumerates individual blob objects inside the container or just access a specific blob inside the container and not view the others
that does it for a demo. Let's jump back to the slides and wrap this up.
That doesn't for a demo. Let's finish this up with a quick quiz question. What are our three container access levels that we can use?
We have private blob and container
that does it for this lesson where we reviewed a couple of container concepts. We learned about our different container access levels.
And, of course, we took a look at a demo of changing access levels
coming up. Next, we're gonna take a look out. We can secure our storage accounts with Azure Active Directory. See you in the next episode.