Read only access using Azure Blog Storage

I have a public repo on GitHub using dvc. I want maintainers to add files using dvc. I will give them a SAS token so they can use the dvc client with their own token. as the repo and contents are public I would like to create a generic read-only token so anyone can download files with DVD pull. I thought I could do that by setting up the right permissions for the SAS token:

but it seems you can also write with that token. In fact, I was able to add a file with DVD push with the above configuration.

Related: https://techcommunity.microsoft.com/t5/azure/read-only-access-to-azure-storage-account-blob-containers-via/m-p/359229

Does anyone know how to do it properly? IS there any documentation about it?

Thanks

1 Like

Hi @josecelano
I suggest to open a support request in the azure portal and ask there what permissions need to be set on a SAS token in order to gain read permissions on a storage account using the python sdk. (No need to mention dvc as that will only lead them on a wrong track…)
Even though this is probably unrelated to the issue, please uncheck the ‘blob versioning permissions’ and make sure that the storage account does not use any azure provided blob versioning features. Since you’re using dvc to version data, the on top versioning of azure is completely useless.

What’s also worth testing is:

  • are you on a windows / linux / mac machine?
  • which azure blob connection setting are you using? (what’s your dvc config?)
  • are you sure that you have dvc properly configured with the sas token that matches the above settings?

Unfortunately there is not much documentation regarding the python sdk available on MS side… but here are some examples on how you can configure dvc for azure: https://dvc.org/doc/command-reference/remote/modify#example-some-azure-authentication-methods

HTH