You must create a custom role that allows the following operations:
To read data from a blob but not write data to the blob
To display a list of containers.
To define the role, you must assign permissions to these operations.
What permissions should you use?
You should use the DataActions permission element to allow reading data from a blob because this is a data-related operation. The DataActions permission specifies the data operations that the role allows to be performed to the data within that object.
You should use the NotDataActions permission element to exclude writing data to the blob. The NotDataActions permission specifies the data operations that are excluded from the allowed DataActions. The access granted by the role is computed by subtracting the NotDataActions operations from the DataActions operations. The NotActions permission element is used for management operations. The NotActions permission specifies the management operations that are excluded from the allowed Actions. You should use the NotActions permission if the set of operations that you want to allow is more easily defined by excluding restricted operations. The access granted by a role is computed by subtracting the NotActions operations from the Actions operations.
You should use the Actions permission element to allow displaying a list of containers because this operation is related to management instead of data. The Actions permission specifies the management operations that the role allows to be performed. It is a collection of operation strings that identify securable operations of Azure resource providers.